blob: 4381f5bf8bbb3b75ed0cf3bdf70b82e171bd6bfe (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
From a7831a16c3e0e1463d5eb08a58af152cb75ca976 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 15 Apr 2019 06:05:58 +0000
Subject: [PATCH] Fix CVE-2019-7282 and CVE-2019-7283
Description: Fix CVE-2018-20685 and CVE-2019-6111
Bug-Debian: https://bugs.debian.org/920486
Origin: https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2#diff-9f340c228413d5a9a9206ea2ed2bc624R1114
Upstream-Status: Backport [Debian]
[https://sources.debian.org/src/netkit-rsh/0.17-20/debian/patches/fix-CVE-2018-20685-and-CVE-2019-6111.patch]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
rcp/rcp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/rcp/rcp.c b/rcp/rcp.c
index ca61c18..77d8ff8 100644
--- a/rcp/rcp.c
+++ b/rcp/rcp.c
@@ -740,6 +740,11 @@ sink(int argc, char *argv[])
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
static char *namebuf;
static int cursize;
|
