From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Sat, 28 Mar 2020 09:00:42 +0000 (+0100)
Subject: package/pure-ftpd: fix CVE-2020-9274
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=1d8426b32cb030888cbd3d8abdc2b4dc70e987c8;p=buildroot.git

package/pure-ftpd: fix CVE-2020-9274

An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer
vulnerability has been detected in the diraliases linked list. When the
*lookup_alias(const char alias) or print_aliases(void) function is
called, they fail to correctly detect the end of the linked list and try
to access a non-existent list member. This is related to init_aliases in
diraliases.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---

diff --git a/package/pure-ftpd/0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch b/package/pure-ftpd/0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch
new file mode 100644
index 0000000000..6c58eb74ae
--- /dev/null
+++ b/package/pure-ftpd/0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch
@@ -0,0 +1,35 @@
+From 8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa Mon Sep 17 00:00:00 2001
+From: Frank Denis <github@pureftpd.org>
+Date: Tue, 18 Feb 2020 18:36:58 +0100
+Subject: [PATCH] diraliases: always set the tail of the list to NULL
+
+Spotted and reported by Antonio Norales from GitHub Security Labs.
+Thanks!
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa]
+---
+ src/diraliases.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/diraliases.c b/src/diraliases.c
+index 4002a36..fb70273 100644
+--- a/src/diraliases.c
++++ b/src/diraliases.c
+@@ -93,7 +93,6 @@ int init_aliases(void)
+                 (tail->dir = strdup(dir)) == NULL) {
+                 die_mem();
+             }
+-            tail->next = NULL;
+         } else {
+             DirAlias *curr;
+ 
+@@ -105,6 +104,7 @@ int init_aliases(void)
+             tail->next = curr;
+             tail = curr;
+         }
++        tail->next = NULL;
+     }
+     fclose(fp);
+     aliases_up++;
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 0ef9a35250..7b7c7d9637 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -17,6 +17,9 @@ PURE_FTPD_IGNORE_CVES += CVE-2019-20176
 # 0002-pure_strcmp-len-s2-can-be-len-s1.patch
 PURE_FTPD_IGNORE_CVES += CVE-2020-9365
 
+# 0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch
+PURE_FTPD_IGNORE_CVES += CVE-2020-9274
+
 PURE_FTPD_CONF_OPTS = \
 	--with-altlog \
 	--with-puredb