* [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176
@ 2020-02-29 20:34 Fabrice Fontaine
2020-02-29 20:34 ` [Buildroot] [PATCH 2/2] package/pure-ftpd: fix CVE-2020-9365 Fabrice Fontaine
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2020-02-29 20:34 UTC (permalink / raw)
To: buildroot
In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
listdir function in ls.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...-to-store-every-file-name-to-display.patch | 70 +++++++++++++++++++
package/pure-ftpd/pure-ftpd.mk | 3 +
2 files changed, 73 insertions(+)
create mode 100644 package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
diff --git a/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
new file mode 100644
index 0000000000..2f791d1d6e
--- /dev/null
+++ b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
@@ -0,0 +1,70 @@
+From aea56f4bcb9948d456f3fae4d044fd3fa2e19706 Mon Sep 17 00:00:00 2001
+From: Frank Denis <github@pureftpd.org>
+Date: Mon, 30 Dec 2019 17:40:04 +0100
+Subject: [PATCH] listdir(): reuse a single buffer to store every file name to
+ display
+
+Allocating a new buffer for each entry is useless.
+
+And as these buffers are allocated on the stack, on systems with a
+small stack size, with many entries, the limit can easily be reached,
+causing a stack exhaustion and aborting the user session.
+
+Reported by Antonio Morales from the GitHub Security Lab team, thanks!
+[Retrieved from:
+https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/ls.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/ls.c b/src/ls.c
+index cf804c7..f8a588f 100644
+--- a/src/ls.c
++++ b/src/ls.c
+@@ -661,6 +661,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+ char *names;
+ PureFileInfo *s;
+ PureFileInfo *r;
++ char *alloca_subdir;
++ size_t sizeof_subdir;
+ int d;
+
+ if (depth >= max_ls_depth || matches >= max_ls_files) {
+@@ -690,14 +692,12 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+ }
+ outputfiles(f, tls_fd);
+ r = dir;
++ sizeof_subdir = PATH_MAX + 1U;
++ if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
++ goto toomany;
++ }
+ while (opt_R && r != s) {
+ if (r->name_offset != (size_t) -1 && !chdir(FI_NAME(r))) {
+- char *alloca_subdir;
+- const size_t sizeof_subdir = PATH_MAX + 1U;
+-
+- if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
+- goto toomany;
+- }
+ if (SNCHECK(snprintf(alloca_subdir, sizeof_subdir, "%s/%s",
+ name, FI_NAME(r)), sizeof_subdir)) {
+ goto nolist;
+@@ -706,8 +706,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+ wrstr(f, tls_fd, alloca_subdir);
+ wrstr(f, tls_fd, ":\r\n\r\n");
+ listdir(depth + 1U, f, tls_fd, alloca_subdir);
++
+ nolist:
+- ALLOCA_FREE(alloca_subdir);
+ if (matches >= max_ls_files) {
+ goto toomany;
+ }
+@@ -720,6 +720,7 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+ r++;
+ }
+ toomany:
++ ALLOCA_FREE(alloca_subdir);
+ free(names);
+ free(dir);
+ names = NULL;
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 2d69efe3f9..3af66a066c 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -11,6 +11,9 @@ PURE_FTPD_LICENSE = ISC
PURE_FTPD_LICENSE_FILES = COPYING
PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
+# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
+PURE_FTPD_IGNORE_CVES += CVE-2019-20176
+
PURE_FTPD_CONF_OPTS = \
--with-altlog \
--with-puredb
--
2.25.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [Buildroot] [PATCH 2/2] package/pure-ftpd: fix CVE-2020-9365
2020-02-29 20:34 [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176 Fabrice Fontaine
@ 2020-02-29 20:34 ` Fabrice Fontaine
2020-03-14 18:33 ` Peter Korsgaard
2020-03-01 13:21 ` [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176 Yann E. MORIN
2020-03-14 18:33 ` Peter Korsgaard
2 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2020-02-29 20:34 UTC (permalink / raw)
To: buildroot
An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read
has been detected in the pure_strcmp function in utils.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...002-pure_strcmp-len-s2-can-be-len-s1.patch | 30 +++++++++++++++++++
package/pure-ftpd/pure-ftpd.mk | 3 ++
2 files changed, 33 insertions(+)
create mode 100644 package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch
diff --git a/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch b/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch
new file mode 100644
index 0000000000..3de3cbd2c8
--- /dev/null
+++ b/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch
@@ -0,0 +1,30 @@
+From 36c6d268cb190282a2c17106acfd31863121b58e Mon Sep 17 00:00:00 2001
+From: Frank Denis <github@pureftpd.org>
+Date: Mon, 24 Feb 2020 15:19:43 +0100
+Subject: [PATCH] pure_strcmp(): len(s2) can be > len(s1)
+
+Reported by Antonio Morales from GitHub Security Labs, thanks!
+[Retrieved from:
+https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/utils.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/utils.c b/src/utils.c
+index f41492d..a7f0381 100644
+--- a/src/utils.c
++++ b/src/utils.c
+@@ -45,5 +45,11 @@ int pure_memcmp(const void * const b1_, const void * const b2_, size_t len)
+
+ int pure_strcmp(const char * const s1, const char * const s2)
+ {
+- return pure_memcmp(s1, s2, strlen(s1) + 1U);
++ const size_t s1_len = strlen(s1);
++ const size_t s2_len = strlen(s2);
++
++ if (s1_len != s2_len) {
++ return -1;
++ }
++ return pure_memcmp(s1, s2, s1_len);
+ }
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 3af66a066c..0ef9a35250 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -14,6 +14,9 @@ PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
PURE_FTPD_IGNORE_CVES += CVE-2019-20176
+# 0002-pure_strcmp-len-s2-can-be-len-s1.patch
+PURE_FTPD_IGNORE_CVES += CVE-2020-9365
+
PURE_FTPD_CONF_OPTS = \
--with-altlog \
--with-puredb
--
2.25.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176
2020-02-29 20:34 [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176 Fabrice Fontaine
2020-02-29 20:34 ` [Buildroot] [PATCH 2/2] package/pure-ftpd: fix CVE-2020-9365 Fabrice Fontaine
@ 2020-03-01 13:21 ` Yann E. MORIN
2020-03-14 18:33 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2020-03-01 13:21 UTC (permalink / raw)
To: buildroot
Fabrice, All,
On 2020-02-29 21:34 +0100, Fabrice Fontaine spake thusly:
> In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
> listdir function in ls.c.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Series applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...-to-store-every-file-name-to-display.patch | 70 +++++++++++++++++++
> package/pure-ftpd/pure-ftpd.mk | 3 +
> 2 files changed, 73 insertions(+)
> create mode 100644 package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
>
> diff --git a/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> new file mode 100644
> index 0000000000..2f791d1d6e
> --- /dev/null
> +++ b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> @@ -0,0 +1,70 @@
> +From aea56f4bcb9948d456f3fae4d044fd3fa2e19706 Mon Sep 17 00:00:00 2001
> +From: Frank Denis <github@pureftpd.org>
> +Date: Mon, 30 Dec 2019 17:40:04 +0100
> +Subject: [PATCH] listdir(): reuse a single buffer to store every file name to
> + display
> +
> +Allocating a new buffer for each entry is useless.
> +
> +And as these buffers are allocated on the stack, on systems with a
> +small stack size, with many entries, the limit can easily be reached,
> +causing a stack exhaustion and aborting the user session.
> +
> +Reported by Antonio Morales from the GitHub Security Lab team, thanks!
> +[Retrieved from:
> +https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/ls.c | 15 ++++++++-------
> + 1 file changed, 8 insertions(+), 7 deletions(-)
> +
> +diff --git a/src/ls.c b/src/ls.c
> +index cf804c7..f8a588f 100644
> +--- a/src/ls.c
> ++++ b/src/ls.c
> +@@ -661,6 +661,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
> + char *names;
> + PureFileInfo *s;
> + PureFileInfo *r;
> ++ char *alloca_subdir;
> ++ size_t sizeof_subdir;
> + int d;
> +
> + if (depth >= max_ls_depth || matches >= max_ls_files) {
> +@@ -690,14 +692,12 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
> + }
> + outputfiles(f, tls_fd);
> + r = dir;
> ++ sizeof_subdir = PATH_MAX + 1U;
> ++ if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
> ++ goto toomany;
> ++ }
> + while (opt_R && r != s) {
> + if (r->name_offset != (size_t) -1 && !chdir(FI_NAME(r))) {
> +- char *alloca_subdir;
> +- const size_t sizeof_subdir = PATH_MAX + 1U;
> +-
> +- if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
> +- goto toomany;
> +- }
> + if (SNCHECK(snprintf(alloca_subdir, sizeof_subdir, "%s/%s",
> + name, FI_NAME(r)), sizeof_subdir)) {
> + goto nolist;
> +@@ -706,8 +706,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
> + wrstr(f, tls_fd, alloca_subdir);
> + wrstr(f, tls_fd, ":\r\n\r\n");
> + listdir(depth + 1U, f, tls_fd, alloca_subdir);
> ++
> + nolist:
> +- ALLOCA_FREE(alloca_subdir);
> + if (matches >= max_ls_files) {
> + goto toomany;
> + }
> +@@ -720,6 +720,7 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
> + r++;
> + }
> + toomany:
> ++ ALLOCA_FREE(alloca_subdir);
> + free(names);
> + free(dir);
> + names = NULL;
> diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
> index 2d69efe3f9..3af66a066c 100644
> --- a/package/pure-ftpd/pure-ftpd.mk
> +++ b/package/pure-ftpd/pure-ftpd.mk
> @@ -11,6 +11,9 @@ PURE_FTPD_LICENSE = ISC
> PURE_FTPD_LICENSE_FILES = COPYING
> PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
>
> +# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
> +PURE_FTPD_IGNORE_CVES += CVE-2019-20176
> +
> PURE_FTPD_CONF_OPTS = \
> --with-altlog \
> --with-puredb
> --
> 2.25.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 5+ messages in thread* [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176
2020-02-29 20:34 [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176 Fabrice Fontaine
2020-02-29 20:34 ` [Buildroot] [PATCH 2/2] package/pure-ftpd: fix CVE-2020-9365 Fabrice Fontaine
2020-03-01 13:21 ` [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176 Yann E. MORIN
@ 2020-03-14 18:33 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2020-03-14 18:33 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
> listdir function in ls.c.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2019.02.x and 2019.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-14 18:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-29 20:34 [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176 Fabrice Fontaine
2020-02-29 20:34 ` [Buildroot] [PATCH 2/2] package/pure-ftpd: fix CVE-2020-9365 Fabrice Fontaine
2020-03-14 18:33 ` Peter Korsgaard
2020-03-01 13:21 ` [Buildroot] [PATCH 1/2] package/pure-ftpd: fix CVE-2019-20176 Yann E. MORIN
2020-03-14 18:33 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox