50 lines
1.5 KiB
Diff
50 lines
1.5 KiB
Diff
Fix CVE-2018-16867:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
|
|
https://seclists.org/oss-sec/2018/q4/202
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6
|
|
|
|
From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001
|
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Mon, 3 Dec 2018 11:10:45 +0100
|
|
Subject: [PATCH] usb-mtp: outlaw slashes in filenames
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Slash is unix directory separator, so they are not allowed in filenames.
|
|
Note this also stops the classic escape via "../".
|
|
|
|
Fixes: CVE-2018-16867
|
|
Reported-by: Michael Hanselmann <public@hansmi.ch>
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
|
Message-id: 20181203101045.27976-3-kraxel@redhat.com
|
|
---
|
|
hw/usb/dev-mtp.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
|
|
index 0f6a9702ef1..100b7171f4e 100644
|
|
--- a/hw/usb/dev-mtp.c
|
|
+++ b/hw/usb/dev-mtp.c
|
|
@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
|
|
|
|
filename = utf16_to_str(dataset->length, dataset->filename);
|
|
|
|
+ if (strchr(filename, '/')) {
|
|
+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
|
|
+ 0, 0, 0, 0);
|
|
+ return;
|
|
+ }
|
|
+
|
|
o = usb_mtp_object_lookup_name(p, filename, dataset->length);
|
|
if (o != NULL) {
|
|
next_handle = o->handle;
|
|
--
|
|
2.19.2
|
|
|