All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [git commit] package/pure-ftpd: fix CVE-2019-20176
@ 2020-03-01 13:20 Yann E. MORIN
  0 siblings, 0 replies; only message in thread
From: Yann E. MORIN @ 2020-03-01 13:20 UTC (permalink / raw)
  To: buildroot

commit: https://git.buildroot.net/buildroot/commit/?id=cb7ac0c12efc0de259ab1c08b8fb86f4dddf9fe5
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
listdir function in ls.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 ...uffer-to-store-every-file-name-to-display.patch | 70 ++++++++++++++++++++++
 package/pure-ftpd/pure-ftpd.mk                     |  3 +
 2 files changed, 73 insertions(+)

diff --git a/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
new file mode 100644
index 0000000000..2f791d1d6e
--- /dev/null
+++ b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
@@ -0,0 +1,70 @@
+From aea56f4bcb9948d456f3fae4d044fd3fa2e19706 Mon Sep 17 00:00:00 2001
+From: Frank Denis <github@pureftpd.org>
+Date: Mon, 30 Dec 2019 17:40:04 +0100
+Subject: [PATCH] listdir(): reuse a single buffer to store every file name to
+ display
+
+Allocating a new buffer for each entry is useless.
+
+And as these buffers are allocated on the stack, on systems with a
+small stack size, with many entries, the limit can easily be reached,
+causing a stack exhaustion and aborting the user session.
+
+Reported by Antonio Morales from the GitHub Security Lab team, thanks!
+[Retrieved from:
+https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/ls.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/ls.c b/src/ls.c
+index cf804c7..f8a588f 100644
+--- a/src/ls.c
++++ b/src/ls.c
+@@ -661,6 +661,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+     char *names;
+     PureFileInfo *s;
+     PureFileInfo *r;
++    char *alloca_subdir;
++    size_t sizeof_subdir;
+     int d;
+ 
+     if (depth >= max_ls_depth || matches >= max_ls_files) {
+@@ -690,14 +692,12 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+     }
+     outputfiles(f, tls_fd);
+     r = dir;
++    sizeof_subdir = PATH_MAX + 1U;
++    if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
++        goto toomany;
++    }
+     while (opt_R && r != s) {
+         if (r->name_offset != (size_t) -1 && !chdir(FI_NAME(r))) {
+-            char *alloca_subdir;
+-            const size_t sizeof_subdir = PATH_MAX + 1U;
+-
+-            if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
+-                goto toomany;
+-            }
+             if (SNCHECK(snprintf(alloca_subdir, sizeof_subdir, "%s/%s",
+                                  name, FI_NAME(r)), sizeof_subdir)) {
+                 goto nolist;
+@@ -706,8 +706,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+             wrstr(f, tls_fd, alloca_subdir);
+             wrstr(f, tls_fd, ":\r\n\r\n");
+             listdir(depth + 1U, f, tls_fd, alloca_subdir);
++
+             nolist:
+-            ALLOCA_FREE(alloca_subdir);
+             if (matches >= max_ls_files) {
+                 goto toomany;
+             }
+@@ -720,6 +720,7 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
+         r++;
+     }
+     toomany:
++    ALLOCA_FREE(alloca_subdir);
+     free(names);
+     free(dir);
+     names = NULL;
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 2d69efe3f9..3af66a066c 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -11,6 +11,9 @@ PURE_FTPD_LICENSE = ISC
 PURE_FTPD_LICENSE_FILES = COPYING
 PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
 
+# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
+PURE_FTPD_IGNORE_CVES += CVE-2019-20176
+
 PURE_FTPD_CONF_OPTS = \
 	--with-altlog \
 	--with-puredb

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2020-03-01 13:20 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-01 13:20 [Buildroot] [git commit] package/pure-ftpd: fix CVE-2019-20176 Yann E. MORIN

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.