[ntp:security] [Bug 2938] ntpq saveconfig command allows dangerous characters in filenames

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Mon Oct 12 06:29:32 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2938

Juergen Perlinger <perlinger at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|IN_PROGRESS                 |READY

--- Comment #1 from Juergen Perlinger <perlinger at ntp.org> 2015-10-12 06:29:32 UTC ---
File names for 'savevonfig' must match the regular expression

   [_A-Za-z0-9][-+._A-Za-z0-9]*

to be accepted. This blocks globbing bombs, path traversal and drive selection
(Windows,VMS); while eliminating file names that are valid for a given platform
the permitted subset should be safe to use everywhere.

Also buffers are not only checked for overflows (there where none) but also for
truncation of the resulting string. Truncation could also pose a security
problem if properly exploited, so we better avoid it and fail.

The repo is in
    psp.ntp.org:~perlinger/ntp-stable-2938

*ATTENTION*

These changes supersede the minor fix I made for TALOS-CAN-0062 (Bug 2918) and
will likely cause merge conflicts on the pull. If in doubt, let the changes
from this repo win!

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list