Version in base suite: 8.11.0-4 Base version: nncp_8.11.0-4 Target version: nncp_8.11.0-4+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nncp/nncp_8.11.0-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nncp/nncp_8.11.0-4+deb13u1.dsc changelog | 8 + patches/Prevent-path-traversal-during-freq-file.patch | 73 ++++++++++++++++++ patches/series | 1 3 files changed, 82 insertions(+) diff -Nru nncp-8.11.0/debian/changelog nncp-8.11.0/debian/changelog --- nncp-8.11.0/debian/changelog 2025-04-05 17:45:18.000000000 +0000 +++ nncp-8.11.0/debian/changelog 2025-09-24 10:39:13.000000000 +0000 @@ -1,3 +1,11 @@ +nncp (8.11.0-4+deb13u1) trixie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Prevent path traversal during freq/file (CVE-2025-60020) + (Closes: #1115848) + + -- Salvatore Bonaccorso Wed, 24 Sep 2025 12:39:13 +0200 + nncp (8.11.0-4) unstable; urgency=medium * Rebuild against newer yggdrasil for dep on newer quic diff -Nru nncp-8.11.0/debian/patches/Prevent-path-traversal-during-freq-file.patch nncp-8.11.0/debian/patches/Prevent-path-traversal-during-freq-file.patch --- nncp-8.11.0/debian/patches/Prevent-path-traversal-during-freq-file.patch 1970-01-01 00:00:00.000000000 +0000 +++ nncp-8.11.0/debian/patches/Prevent-path-traversal-during-freq-file.patch 2025-09-24 10:39:13.000000000 +0000 @@ -0,0 +1,73 @@ +From f2df8e3ea21ae25be03fd4dc87a284cc44619dc4 Mon Sep 17 00:00:00 2001 +From: Eugene Medvedev +Date: Fri, 19 Sep 2025 16:12:18 +0300 +Subject: [PATCH] Prevent path traversal during freq/file + +As it currently stands, NNCP is vulnerable to path traversal attacks with +freq and file functions: Despite the requirement for both to supply full path +in configuration, both types of packets will accept and act upon paths containing +"..". Most obviously, this allows one to request any file NNCP has access to, +like its own configuration file with the private keys in it. +Likewise, a sent file can break out of the incoming directory in the same manner +and be written anywhere on the system that the user can write to. + +This patch is my take on dealing with this by by limiting path traversal to +below the configured full path. It does nothing about, e.g., symlinks, +and I'm not sure anything should be done about those. +--- + src/toss.go | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/src/toss.go b/src/toss.go +index 0ea4098c7540..4d3ceecd22d7 100644 +--- a/src/toss.go ++++ b/src/toss.go +@@ -312,6 +312,17 @@ func jobProcess( + return err + } + dir := filepath.Join(*incoming, path.Dir(dst)) ++ if !strings.HasPrefix(dir, *incoming) { ++ err = errors.New("incoming path traversal") ++ ctx.LogE("rx-traversal", les, err, func(les LEs) string { ++ return fmt.Sprintf( ++ "Tossing file %s/%s (%s): %s: traversal", ++ sender.Name, pktName, ++ humanize.IBytes(pktSize), dst, ++ ) ++ }) ++ return err ++ } + if err = os.MkdirAll(dir, os.FileMode(0777)); err != nil { + ctx.LogE("rx-mkdir", les, err, func(les LEs) string { + return fmt.Sprintf( +@@ -542,11 +553,26 @@ func jobProcess( + ) + return err + } ++ srcPath := filepath.Join(*freqPath, src) ++ if !strings.HasPrefix(srcPath, *freqPath) { ++ err = errors.New("freqing path traversal") ++ ctx.LogE( ++ "rx-no-freq", les, err, ++ func(les LEs) string { ++ return fmt.Sprintf( ++ "Tossing freq %s/%s (%s): %s -> %s", ++ sender.Name, pktName, ++ humanize.IBytes(pktSize), src, dst, ++ ) ++ }, ++ ) ++ return err ++ } + if !opts.DryRun { + err = ctx.TxFile( + sender, + pkt.Nice, +- filepath.Join(*freqPath, src), ++ srcPath, + dst, + sender.FreqChunked, + sender.FreqMinSize, +-- +2.51.0 + diff -Nru nncp-8.11.0/debian/patches/series nncp-8.11.0/debian/patches/series --- nncp-8.11.0/debian/patches/series 2024-09-09 12:53:40.000000000 +0000 +++ nncp-8.11.0/debian/patches/series 2025-09-24 10:39:13.000000000 +0000 @@ -1,2 +1,3 @@ Fix-texi-direntry Fix-config-file-location +Prevent-path-traversal-during-freq-file.patch