Description: Fix symlink directory traversal.

 Do not allow symlinks that traverse the current directoru, nor absolute

 symlinks.

 .

 Fixes CVE-2015-0556.

Author: Guillem Jover <guillem@debian.org>

Origin: vendor

Bug-Debian: https://bugs.debian.org/774434

Forwarded: no

Last-Update: 2015-03-28

---

 uxspec.c |   54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++

 1 file changed, 54 insertions(+)

--- a/uxspec.c

+++ b/uxspec.c

@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha

 }

 #endif

+#if TARGET==UNIX

+static int is_link_traversal(const char *name)

+{

+  enum {

+    STATE_NONE,

+    STATE_DOTS,

+    STATE_NAME,

+  } state = STATE_NONE;

+  int ndir = 0;

+  int dots = 0;

+

+  while(*name) {

+    int c = *name++;

+

+    if (c == '/')

+    {

+      if ((state == STATE_DOTS) && (dots == 2))

+        ndir--;

+      if (ndir < 0)

+        return 1;

+      if ((state == STATE_DOTS && dots == 1) && ndir == 0)

+        return 1;

+      if (state == STATE_NONE && ndir == 0)

+        return 1;

+      if ((state == STATE_DOTS) && (dots > 2))

+        ndir++;

+      state = STATE_NONE;

+      dots = 0;

+    }

+    else if (c == '.')

+    {

+      if (state == STATE_NONE)

+        state = STATE_DOTS;

+      dots++;

+    }

+    else

+    {

+      if (state == STATE_NONE)

+        ndir++;

+      state = STATE_NAME;

+    }

+  }

+

+  if ((state == STATE_DOTS) && (dots == 2))

+    ndir--;

+  if ((state == STATE_DOTS) && (dots > 2))

+    ndir++;

+

+  return ndir < 0;

+}

+#endif

+

 /* Restores the UNIX special file data */

 int set_uxspecial(char FAR *storage, char *name)

@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha

      l=sizeof(tmp_name)-1;

     far_memmove((char FAR *)tmp_name, dptr, l);

     tmp_name[l]='\0';

+    if (is_link_traversal(tmp_name))

+      return(UXSPEC_RC_ERROR);

     rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name);

     if(!rc)

      return(0);