[Slirp] [PATCH v3] slirp: tftp: restrict relative path access
Peter Maydell
peter.maydell at linaro.org
Fri Jan 17 12:19:53 UTC 2020
On Fri, 17 Jan 2020 at 12:16, Philippe Mathieu-Daudé <philmd at redhat.com> wrote:
>
> On Fri, Jan 17, 2020 at 1:11 PM Peter Maydell <peter.maydell at linaro.org> wrote:
> > On Tue, 14 Jan 2020 at 20:42, Samuel Thibault
> > <samuel.thibault at ens-lyon.org> wrote:
> > >
> > > Hello,
> > >
> > > P J P, le lun. 13 janv. 2020 17:44:31 +0530, a ecrit:
> > > > From: Prasad J Pandit <pjp at fedoraproject.org>
> > > >
> > > > tftp restricts relative or directory path access on Linux systems.
> > > > Apply same restrictions on Windows systems too. It helps to avoid
> > > > directory traversal issue.
> > >
> > > Applied, thanks!
> > >
> > > > Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
> > > > Reported-by: Peter Maydell <peter.maydell at linaro.org>
> >
> > You have the reported-by attribution wrong here -- this
> > wasn't reported by me, as you can see from the linked LP bug.
>
> This LP appears as:
>
> "This page does not exist, or you may not have permission to see it."
>
> "If you have been to this page before, it is possible it has been removed."
>
> Any idea?
That's because it's been marked "private" as a security bug
(so you need lp admin privileges to see it).
Unfortunately LP has no mechanism for a project to say "we
don't take security bug reports through LP, disable private
bug reports", so there are a handful of them lurking in the
system unseen (because nobody checks there), of which this
tftp bug was one. I just copied the text out of the bug report
and forwarded it to the security email list, but have otherwise
no relationship with it.
thanks
-- PMM
More information about the Slirp
mailing list