Version in base suite: 8.8.2-3 Base version: nncp_8.8.2-3 Target version: nncp_8.8.2-3+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nncp/nncp_8.8.2-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nncp/nncp_8.8.2-3+deb12u1.dsc changelog | 8 ++ patches/Prevent-path-traversal-during-freq-file.patch | 68 ++++++++++++++++++ patches/series | 1 3 files changed, 77 insertions(+) diff -Nru nncp-8.8.2/debian/changelog nncp-8.8.2/debian/changelog --- nncp-8.8.2/debian/changelog 2023-04-29 15:25:52.000000000 +0000 +++ nncp-8.8.2/debian/changelog 2025-09-24 10:57:55.000000000 +0000 @@ -1,3 +1,11 @@ +nncp (8.8.2-3+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Prevent path traversal during freq/file (CVE-2025-60020) + (Closes: #1115848) + + -- Salvatore Bonaccorso Wed, 24 Sep 2025 12:57:55 +0200 + nncp (8.8.2-3) unstable; urgency=medium * Apply upstream bugfix to chunk reassembly. diff -Nru nncp-8.8.2/debian/patches/Prevent-path-traversal-during-freq-file.patch nncp-8.8.2/debian/patches/Prevent-path-traversal-during-freq-file.patch --- nncp-8.8.2/debian/patches/Prevent-path-traversal-during-freq-file.patch 1970-01-01 00:00:00.000000000 +0000 +++ nncp-8.8.2/debian/patches/Prevent-path-traversal-during-freq-file.patch 2025-09-24 10:57:55.000000000 +0000 @@ -0,0 +1,68 @@ +From f2df8e3ea21ae25be03fd4dc87a284cc44619dc4 Mon Sep 17 00:00:00 2001 +From: Eugene Medvedev +Date: Fri, 19 Sep 2025 16:12:18 +0300 +Subject: [PATCH] Prevent path traversal during freq/file + +As it currently stands, NNCP is vulnerable to path traversal attacks with +freq and file functions: Despite the requirement for both to supply full path +in configuration, both types of packets will accept and act upon paths containing +"..". Most obviously, this allows one to request any file NNCP has access to, +like its own configuration file with the private keys in it. +Likewise, a sent file can break out of the incoming directory in the same manner +and be written anywhere on the system that the user can write to. + +This patch is my take on dealing with this by by limiting path traversal to +below the configured full path. It does nothing about, e.g., symlinks, +and I'm not sure anything should be done about those. +--- + src/toss.go | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +--- a/src/toss.go ++++ b/src/toss.go +@@ -273,6 +273,17 @@ func jobProcess( + return err + } + dir := filepath.Join(*incoming, path.Dir(dst)) ++ if !strings.HasPrefix(dir, *incoming) { ++ err = errors.New("incoming path traversal") ++ ctx.LogE("rx-traversal", les, err, func(les LEs) string { ++ return fmt.Sprintf( ++ "Tossing file %s/%s (%s): %s: traversal", ++ sender.Name, pktName, ++ humanize.IBytes(pktSize), dst, ++ ) ++ }) ++ return err ++ } + if err = os.MkdirAll(dir, os.FileMode(0777)); err != nil { + ctx.LogE("rx-mkdir", les, err, func(les LEs) string { + return fmt.Sprintf( +@@ -503,11 +514,26 @@ func jobProcess( + ) + return err + } ++ srcPath := filepath.Join(*freqPath, src) ++ if !strings.HasPrefix(srcPath, *freqPath) { ++ err = errors.New("freqing path traversal") ++ ctx.LogE( ++ "rx-no-freq", les, err, ++ func(les LEs) string { ++ return fmt.Sprintf( ++ "Tossing freq %s/%s (%s): %s -> %s", ++ sender.Name, pktName, ++ humanize.IBytes(pktSize), src, dst, ++ ) ++ }, ++ ) ++ return err ++ } + if !dryRun { + err = ctx.TxFile( + sender, + pkt.Nice, +- filepath.Join(*freqPath, src), ++ srcPath, + dst, + sender.FreqChunked, + sender.FreqMinSize, diff -Nru nncp-8.8.2/debian/patches/series nncp-8.8.2/debian/patches/series --- nncp-8.8.2/debian/patches/series 2023-04-29 15:20:18.000000000 +0000 +++ nncp-8.8.2/debian/patches/series 2025-09-24 10:57:55.000000000 +0000 @@ -2,3 +2,4 @@ Fix-config-file-location gvisor-20221219.patch reass-backport.diff +Prevent-path-traversal-during-freq-file.patch