diff options
author | Pavel Vinogradov | 2018-01-16 12:14:17 -0500 |
---|---|---|
committer | Vlad Glagolev | 2018-02-18 10:38:19 -0500 |
commit | dd4788ab35a94e03c6c7ce3966bf3216a2b884da (patch) | |
tree | 62bc8d845f936440929302646f77aff1b8e78824 | |
parent | dd2ec74a00f3a0afa1505d3b2b861d0dd85b0479 (diff) |
ftp/transmission: SECURITY_PATCH++, the CVE-2018-5702 fix
(cherry picked from commit 12c74710b331ae58b03e0538cfcd3ae16cda3c9c)
-rwxr-xr-x | ftp/transmission/DETAILS | 2 | ||||
-rw-r--r-- | ftp/transmission/HISTORY | 5 | ||||
-rwxr-xr-x | ftp/transmission/PRE_BUILD | 4 | ||||
-rw-r--r-- | ftp/transmission/dns-rebinding.patch | 274 |
4 files changed, 282 insertions, 3 deletions
diff --git a/ftp/transmission/DETAILS b/ftp/transmission/DETAILS index 8109ec667f..ceff8bd33e 100755 --- a/ftp/transmission/DETAILS +++ b/ftp/transmission/DETAILS @@ -1,6 +1,6 @@ SPELL=transmission VERSION=2.92 - SECURITY_PATCH=2 + SECURITY_PATCH=3 SOURCE=$SPELL-$VERSION.tar.xz SOURCE_URL[0]=http://download.transmissionbt.com/files/$SOURCE SOURCE_GPG=gurus.gpg:$SOURCE.sig diff --git a/ftp/transmission/HISTORY b/ftp/transmission/HISTORY index 0c911b457f..bcb9a0b177 100644 --- a/ftp/transmission/HISTORY +++ b/ftp/transmission/HISTORY @@ -1,3 +1,6 @@ +2018-01-16 Pavel Vinogradov <public@sourcemage.org> + * DETAILS, PRE_BUILD, dns-rebinding.patch: SECURITY_PATCH++, (CVE-2018-5702) + 2016-03-07 Pavel Vinogradov <public@sourcemage.org> * DETAILS: updated spell to 2.92 @@ -8,7 +11,7 @@ * DETAILS: updated spell to 2.90 2014-08-19 Treeve Jelbert <treeve@sourcemage.org> - * DEPENDS: openssl => SSL + * DEPENDS: openssl => SSL 2014-07-02 Vlad Glagolev <stealth@sourcemage.org> * DETAILS: updated spell to 2.84; SECURITY_PATCH++ diff --git a/ftp/transmission/PRE_BUILD b/ftp/transmission/PRE_BUILD index 25db3aa711..5d5ee08813 100755 --- a/ftp/transmission/PRE_BUILD +++ b/ftp/transmission/PRE_BUILD @@ -1,4 +1,6 @@ default_pre_build && cd "$SOURCE_DIRECTORY" && -patch -p0 < "$SPELL_DIRECTORY/no-utp.patch" +patch -p0 < "$SPELL_DIRECTORY/no-utp.patch" && + +patch -p1 < "${SPELL_DIRECTORY}/dns-rebinding.patch" diff --git a/ftp/transmission/dns-rebinding.patch b/ftp/transmission/dns-rebinding.patch new file mode 100644 index 0000000000..6a8e3c2ad2 --- /dev/null +++ b/ftp/transmission/dns-rebinding.patch @@ -0,0 +1,274 @@ +diff --git a/libtransmission/quark.c b/libtransmission/quark.c +index 861050057..e19ac9a2f 100644 +--- a/libtransmission/quark.c ++++ b/libtransmission/quark.c +@@ -288,6 +288,8 @@ static struct tr_key_struct const my_static[] = + { "rpc-authentication-required", 27 }, + { "rpc-bind-address", 16 }, + { "rpc-enabled", 11 }, ++ { "rpc-host-whitelist", 18 }, ++ { "rpc-host-whitelist-enabled", 26 }, + { "rpc-password", 12 }, + { "rpc-port", 8 }, + { "rpc-url", 7 }, +diff --git a/libtransmission/quark.h b/libtransmission/quark.h +index d40ab75fa..9dc534560 100644 +--- a/libtransmission/quark.h ++++ b/libtransmission/quark.h +@@ -290,6 +290,8 @@ enum + TR_KEY_rpc_authentication_required, + TR_KEY_rpc_bind_address, + TR_KEY_rpc_enabled, ++ TR_KEY_rpc_host_whitelist, ++ TR_KEY_rpc_host_whitelist_enabled, + TR_KEY_rpc_password, + TR_KEY_rpc_port, + TR_KEY_rpc_url, +diff --git a/libtransmission/rpc-server.c b/libtransmission/rpc-server.c +index 7c78f92ac..c4db2e64c 100644 +--- a/libtransmission/rpc-server.c ++++ b/libtransmission/rpc-server.c +@@ -51,6 +51,7 @@ struct tr_rpc_server + bool isEnabled; + bool isPasswordEnabled; + bool isWhitelistEnabled; ++ bool isHostWhitelistEnabled; + tr_port port; + char * url; + struct in_addr bindAddress; +@@ -62,6 +63,7 @@ struct tr_rpc_server + char * password; + char * whitelistStr; + tr_list * whitelist; ++ tr_list* hostWhitelist; + + char * sessionId; + time_t sessionIdExpiresAt; +@@ -547,6 +549,48 @@ static bool isAddressAllowed(tr_rpc_server const* server, char const* address) + return false; + } + ++static bool isHostnameAllowed(tr_rpc_server const* server, struct evhttp_request* req) ++{ ++ const char *host = evhttp_find_header(req->input_headers, "Host"); ++ char *hostname; ++ ++ // If password auth is enabled, any hostname is permitted. ++ if (server->isPasswordEnabled) ++ return true; ++ ++ // If whitelist is disabled, no restrictions. ++ if (!server->isHostWhitelistEnabled) ++ return true; ++ ++ // No host header, invalid request. ++ if (!host) ++ return false; ++ ++ // Host header might include the port. ++ hostname = tr_strndup(host, strcspn(host, ":")); ++ ++ // localhost or ipaddress is always acceptable. ++ if (strcmp(hostname, "localhost") == 0 ++ || strcmp(hostname, "localhost.") == 0 ++ || tr_addressIsIP(hostname)) ++ { ++ tr_free(hostname); ++ return true; ++ } ++ ++ // Otherwise, hostname must be whitelisted. ++ for (tr_list* l = server->hostWhitelist; l != NULL; l = l->next) { ++ if (tr_wildmat(hostname, l->data)) ++ { ++ tr_free(hostname); ++ return true; ++ } ++ } ++ ++ tr_free(hostname); ++ return false; ++} ++ + static bool + test_session_id (struct tr_rpc_server * server, struct evhttp_request * req) + { +@@ -636,6 +680,22 @@ static void handle_request(struct evhttp_request* req, void* arg) + handle_upload (req, server); + } + #ifdef REQUIRE_SESSION_ID ++ else if (!isHostnameAllowed(server, req)) ++ { ++ char* tmp = tr_strdup_printf( ++ "<p>Transmission received your request, but the hostname was unrecognized.</p>" ++ "<p>To fix this, choose one of the following options:" ++ "<ul>" ++ "<li>Enable password authentication, then any hostname is allowed.</li>" ++ "<li>Add the hostname you want to use to the whitelist in settings.</li>" ++ "</ul></p>" ++ "<p>If you're editing settings.json, see the 'rpc-host-whitelist' and 'rpc-host-whitelist-enabled' entries.</p>" ++ "<p>This requirement has been added to help prevent " ++ "<a href=\"https://en.wikipedia.org/wiki/DNS_rebinding\">DNS Rebinding</a> " ++ "attacks.</p>"); ++ send_simple_response(req, 421, tmp); ++ tr_free(tmp); ++ } + else if (!test_session_id (server, req)) + { + const char * sessionId = get_current_session_id (server); +@@ -647,7 +707,7 @@ static void handle_request(struct evhttp_request* req, void* arg) + "<li> When you get this 409 error message, resend your request with the updated header" + "</ol></p>" + "<p>This requirement has been added to help prevent " +- "<a href=\"http://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> " ++ "<a href=\"https://en.wikipedia.org/wiki/Cross-site_request_forgery\">CSRF</a> " + "attacks.</p>" + "<p><code>%s: %s</code></p>", + TR_RPC_SESSION_ID_HEADER, sessionId); +@@ -875,19 +875,13 @@ char const* tr_rpcGetUrl(tr_rpc_server const* server) + return server->url ? server->url : ""; + } + +-void +-tr_rpcSetWhitelist (tr_rpc_server * server, const char * whitelistStr) ++static void tr_rpcSetList(char const* whitelistStr, tr_list** list) + { + void * tmp; + const char * walk; + +- /* keep the string */ +- tmp = server->whitelistStr; +- server->whitelistStr = tr_strdup (whitelistStr); +- tr_free (tmp); +- + /* clear out the old whitelist entries */ +- while ((tmp = tr_list_pop_front (&server->whitelist))) ++ while ((tmp = tr_list_pop_front(list)) != NULL) + tr_free (tmp); + + /* build the new whitelist entries */ +@@ -866,7 +921,7 @@ void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) + const char * delimiters = " ,;"; + const size_t len = strcspn (walk, delimiters); + char * token = tr_strndup (walk, len); +- tr_list_append (&server->whitelist, token); ++ tr_list_append(list, token); + if (strcspn (token, "+-") < len) + tr_logAddNamedInfo (MY_NAME, "Adding address to whitelist: %s (And it has a '+' or '-'! Are you using an old ACL by mistake?)", token); + else +@@ -889,6 +944,22 @@ void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) + } + } + ++void tr_rpcSetHostWhitelist(tr_rpc_server* server, char const* whitelistStr) ++{ ++ tr_rpcSetList(whitelistStr, &server->hostWhitelist); ++} ++ ++void tr_rpcSetWhitelist(tr_rpc_server* server, char const* whitelistStr) ++{ ++ /* keep the string */ ++ char* const tmp = server->whitelistStr; ++ ++ server->whitelistStr = tr_strdup(whitelistStr); ++ tr_free(tmp); ++ ++ tr_rpcSetList(whitelistStr, &server->whitelist); ++} ++ + const char* + tr_rpcGetWhitelist (const tr_rpc_server * server) + { +@@ -904,6 +975,11 @@ bool tr_rpcGetWhitelistEnabled(tr_rpc_server const* server) + return server->isWhitelistEnabled; + } + ++void tr_rpcSetHostWhitelistEnabled(tr_rpc_server* server, bool isEnabled) ++{ ++ server->isHostWhitelistEnabled = isEnabled; ++} ++ + /**** + ***** PASSWORD + ****/ +@@ -1054,6 +1130,28 @@ tr_rpc_server* tr_rpcInit(tr_session* session, tr_variant* settings) + else + tr_rpcSetWhitelistEnabled (s, boolVal); + ++ key = TR_KEY_rpc_host_whitelist_enabled; ++ ++ if (!tr_variantDictFindBool(settings, key, &boolVal)) ++ { ++ missing_settings_key(key); ++ } ++ else ++ { ++ tr_rpcSetHostWhitelistEnabled(s, boolVal); ++ } ++ ++ key = TR_KEY_rpc_host_whitelist; ++ ++ if (!tr_variantDictFindStr(settings, key, &str, NULL) && str != NULL) ++ { ++ missing_settings_key(key); ++ } ++ else ++ { ++ tr_rpcSetHostWhitelist(s, str); ++ } ++ + key = TR_KEY_rpc_authentication_required; + if (!tr_variantDictFindBool (settings, key, &boolVal)) + missing_settings_key (key); +diff --git a/libtransmission/rpc-server.h b/libtransmission/rpc-server.h +index 46e8a871f..ad1eb5204 100644 +--- a/libtransmission/rpc-server.h ++++ b/libtransmission/rpc-server.h +@@ -49,6 +49,10 @@ void tr_rpcSetWhitelist (tr_rpc_server * server, + + const char* tr_rpcGetWhitelist (const tr_rpc_server * server); + ++void tr_rpcSetHostWhitelistEnabled (tr_rpc_server * server, bool isEnabled); ++ ++void tr_rpcSetHostWhitelist (tr_rpc_server * server, char const * whitelist); ++ + void tr_rpcSetPassword (tr_rpc_server * server, + const char * password); + +diff --git a/libtransmission/session.c b/libtransmission/session.c +index 86d054f7f..9a0b7c104 100644 +--- a/libtransmission/session.c ++++ b/libtransmission/session.c +@@ -371,6 +371,8 @@ void tr_sessionGetDefaultSettings(tr_variant* d) + tr_variantDictAddStr (d, TR_KEY_rpc_username, ""); + tr_variantDictAddStr (d, TR_KEY_rpc_whitelist, TR_DEFAULT_RPC_WHITELIST); + tr_variantDictAddBool (d, TR_KEY_rpc_whitelist_enabled, true); ++ tr_variantDictAddStr (d, TR_KEY_rpc_host_whitelist, TR_DEFAULT_RPC_HOST_WHITELIST); ++ tr_variantDictAddBool (d, TR_KEY_rpc_host_whitelist_enabled, true); + tr_variantDictAddInt (d, TR_KEY_rpc_port, atoi (TR_DEFAULT_RPC_PORT_STR)); + tr_variantDictAddStr (d, TR_KEY_rpc_url, TR_DEFAULT_RPC_URL_STR); + tr_variantDictAddBool (d, TR_KEY_scrape_paused_torrents_enabled, true); +diff --git a/libtransmission/transmission.h b/libtransmission/transmission.h +index ac1871adb..08a24eca4 100644 +--- a/libtransmission/transmission.h ++++ b/libtransmission/transmission.h +@@ -109,6 +109,7 @@ char const* tr_getDefaultDownloadDir(void); + #define TR_DEFAULT_BIND_ADDRESS_IPV4 "0.0.0.0" + #define TR_DEFAULT_BIND_ADDRESS_IPV6 "::" + #define TR_DEFAULT_RPC_WHITELIST "127.0.0.1" ++#define TR_DEFAULT_RPC_HOST_WHITELIST "" + #define TR_DEFAULT_RPC_PORT_STR "9091" + #define TR_DEFAULT_RPC_URL_STR "/transmission/" + #define TR_DEFAULT_PEER_PORT_STR "51413" +diff --git a/libtransmission/web.c b/libtransmission/web.c +index cca888b66..a57c85457 100644 +--- a/libtransmission/web.c ++++ b/libtransmission/web.c +@@ -678,6 +678,7 @@ char const* tr_webGetResponseStr(long code) + case 415: return "Unsupported Media Type"; + case 416: return "Requested Range Not Satisfiable"; + case 417: return "Expectation Failed"; ++ case 421: return "Misdirected Request"; + case 500: return "Internal Server Error"; + case 501: return "Not Implemented"; + case 502: return "Bad Gateway"; |