From 4f814f3518dc51deb43aee4e8b11d4dc1cb86361 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Fri, 15 May 2020 16:51:37 +0800
Subject: [PATCH] CVE: Fix CVE-2020-7211

backport from upstream:
https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4

Signed-off-by: Ying Fang <fangying1@huawei.com>
---
 qemu.spec                                     |  2 +
 ...p-tftp-restrict-relative-path-access.patch | 37 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 slirp-tftp-restrict-relative-path-access.patch

diff --git a/qemu.spec b/qemu.spec
index 84e3065..c6d487b 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -164,6 +164,7 @@ Patch0151: migration-rdma-fix-a-memleak-on-error-path-in-rdma_s.patch
 Patch0152: arm-virt-Support-CPU-cold-plug.patch
 Patch0153: ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
 Patch0154: ati-vga-Fix-checks-in-ati_2d_blt-to-avoid-crash.patch
+Patch0155: slirp-tftp-restrict-relative-path-access.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -512,6 +513,7 @@ getent passwd qemu >/dev/null || \
 * Fri May 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
 - ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
 - ati-vga: Fix checks in ati_2d_blt() to avoid crash
+- slirp: tftp: restrict relative path access
 
 * Tue May 12 2020 Huawei Technologies Co., Ltd. <zhukeqian1@huawei.com>
 - arm/virt: Support CPU cold plug
diff --git a/slirp-tftp-restrict-relative-path-access.patch b/slirp-tftp-restrict-relative-path-access.patch
new file mode 100644
index 0000000..b7f0946
--- /dev/null
+++ b/slirp-tftp-restrict-relative-path-access.patch
@@ -0,0 +1,37 @@
+From 2fc07f4ce31a2cc9973cfb1c20897c6a4babd8b8 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 15 May 2020 16:45:28 +0800
+Subject: [PATCH] slirp: tftp: restrict relative path access
+
+tftp restricts relative or directory path access on Linux systems.
+Apply same restrictions on Windows systems too. It helps to avoid
+directory traversal issue.
+
+Fixes: https://bugs.launchpad.net/qemu/+bug/1812451Reported-by: default avatarPeter Maydell <peter.maydell@linaro.org>
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
+
+diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
+index 093c2e06..2b4176cc 100644
+--- a/slirp/src/tftp.c
++++ b/slirp/src/tftp.c
+@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+     k += 6; /* skipping octet */
+ 
+     /* do sanity checks on the filename */
+-    if (!strncmp(req_fname, "../", 3) ||
+-        req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
++    if (
++#ifdef G_OS_WIN32
++        strstr(req_fname, "..\\") ||
++        req_fname[strlen(req_fname) - 1] == '\\' ||
++#endif
++        strstr(req_fname, "../") ||
++        req_fname[strlen(req_fname) -1] == '/') {
+         tftp_send_error(spt, 2, "Access violation", tp);
+         return;
+     }
+-- 
+2.23.0
+
-- 
Gitee