File CVE-2019-25018.patch of Package krb5-appl

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-25018.patch of Package krb5-appl

From 23e5a95fd3683c9e3662650822596ddd5dd5a3bc Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 11 Jan 2021 12:34:34 +0100
Subject: [PATCH 1/2] CVE-2019-25018

In the rcp client in MIT krb5-appl through 1.0.3 malicious servers could
bypass intended access restrictions via the filename of . or an empty
filename, similar to CVE-2018-20685 and CVE-2019-7282. The impact is
modifying the permissions of the target directory on the client side.

Disallow empty incoming filename or ones that refer to the current directory.

Related to CVE-2018-20685 (openssh) and CVE-2019-7282 (netkit-rsh).

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
 bsd/krcp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bsd/krcp.c b/bsd/krcp.c
index c2232a5..d56b40c 100644
--- a/bsd/krcp.c
+++ b/bsd/krcp.c
@@ -1017,6 +1017,11 @@ void sink(argc, argv)
 	  size = size * 10 + (*cp++ - '0');
 	if (*cp++ != ' ')
 	  SCREWUP("size not delimited");
+	if (*cp == '\0' || strchr(cp, '/') != NULL ||
+	    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+		error("Unexpected filename: %s\n", cp);
+		exit(1);
+	}
 	if (targisdir) {
           if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
 	    SCREWUP("target name too long");
-- 
2.30.0

Places

File CVE-2019-25018.patch of Package krb5-appl

Places