17328869 problem in UTILITY/NMAP
authorStefan Teleman <stefan.teleman@oracle.com>
Wed, 21 Aug 2013 00:01:40 -0700
changeset 1448 3288b0639de6
parent 1447 70f310fd9b7e
child 1449 d430caca2495
17328869 problem in UTILITY/NMAP
components/nmap/Makefile
components/nmap/patches/nmap-6.25-cve-2013-4885.patch
--- a/components/nmap/Makefile	Tue Aug 20 01:14:34 2013 -0700
+++ b/components/nmap/Makefile	Wed Aug 21 00:01:40 2013 -0700
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 include ../../make-rules/shared-macros.mk
@@ -42,6 +42,8 @@
 # Can't use the Studio compilers as they don't support the GNU 
 # __attribute__ extension
 COMPILER =	gcc
+CC = /usr/gcc/4.7/bin/gcc
+CXX = /usr/gcc/4.7/bin/g++
 
 COMPONENT_PRE_CONFIGURE_ACTION = \
 	($(CLONEY) $(SOURCE_DIR) $(@D))
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/nmap/patches/nmap-6.25-cve-2013-4885.patch	Wed Aug 21 00:01:40 2013 -0700
@@ -0,0 +1,161 @@
+# http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=14;bug=719289
+# Index: scripts/http-domino-enum-passwords.nse
+# ===================================================================
+--- nmap-6.25/scripts/http-domino-enum-passwords.nse	(revision 31575)
++++ nmap-6.25/scripts/http-domino-enum-passwords.nse	(revision 31576)
[email protected]@ -315,9 +315,10 @@
+ 				http_response = http.get( vhost or host, port, u_details.idfile, { auth = { username = user, password = pass }, no_cache = true })	
+ 
+ 				if ( http_response.status == 200 ) then
+-					local status, err = saveIDFile( ("%s/%s.id"):format(download_path, u_details.fullname), http_response.body )
++					local filename = download_path .. "/" .. stdnse.filename_escape(u_details.fullname .. ".id")
++					local status, err = saveIDFile( filename, http_response.body )
+ 					if ( status ) then
+-						table.insert( id_files, ("%s ID File has been downloaded (%s/%s.id)"):format(u_details.fullname, download_path, u_details.fullname) )
++						table.insert( id_files, ("%s ID File has been downloaded (%s)"):format(u_details.fullname, filename) )
+ 					else
+ 						table.insert( id_files, ("%s ID File was not saved (error: %s)"):format(u_details.fullname, err ) )
+ 					end
+# Index: scripts/stuxnet-detect.nse
+# ===================================================================
+--- nmap-6.25/scripts/stuxnet-detect.nse	(revision 31575)
++++ nmap-6.25/scripts/stuxnet-detect.nse	(revision 31576)
[email protected]@ -81,7 +81,7 @@
+ 
+ 		fmt = save:gsub("%%h", host.ip)
+ 		fmt = fmt:gsub("%%v", version)
+-		file = io.open(fmt, "w")
++		file = io.open(stdnse.filename_escape(fmt), "w")
+ 		if file then
+ 			stdnse.print_debug(1, "Wrote %d bytes to file %s.", #result.arguments, fmt)
+ 			file:write(result.arguments)
+# Index: scripts/http-config-backup.nse
+# ===================================================================
+--- nmap-6.25/scripts/http-config-backup.nse	(revision 31575)
++++ nmap-6.25/scripts/http-config-backup.nse	(revision 31576)
[email protected]@ -209,7 +209,7 @@
+       if (response.status == 200) then
+         -- check it if is valid before inserting
+         if cfg.check(response.body) then
+-          local filename = ((host.targetname or host.ip) .. url_path):gsub("/", "-");
++          local filename = stdnse.escape_filename((host.targetname or host.ip) .. url_path)
+ 
+           -- save the content
+           if save then
+# Index: scripts/hostmap-bfk.nse
+# ===================================================================
+--- nmap-6.25/scripts/hostmap-bfk.nse	(revision 31575)
++++ nmap-6.25/scripts/hostmap-bfk.nse	(revision 31576)
[email protected]@ -68,7 +68,7 @@
+ 
+ local HOSTMAP_SERVER = "www.bfk.de"
+ 
+-local filename_escape, write_file
++local write_file
+ 
+ hostrule = function(host)
+   return not ipOps.isPrivate(host.ip)
[email protected]@ -106,7 +106,7 @@
+ 
+   local filename_prefix = stdnse.get_script_args("hostmap-bfk.prefix")
+   if filename_prefix then
+-    local filename = filename_prefix .. filename_escape(host.targetname or host.ip)
++    local filename = filename_prefix .. stdnse.filename_escape(host.targetname or host.ip)
+     local status, err = write_file(filename, hostnames_str .. "\n")
+     if status then
+       output_tab.filename = filename
[email protected]@ -118,13 +118,6 @@
+   return output_tab
+ end
+ 
+--- Escape some potentially unsafe characters in a string meant to be a filename.
+-function filename_escape(s)
+-  return string.gsub(s, "[\0/=]", function(c)
+-    return string.format("=%02X", string.byte(c))
+-  end)
+-end
+-
+ function write_file(filename, contents)
+   local f, err = io.open(filename, "w")
+   if not f then
+# Index: scripts/domino-enum-users.nse
+# ===================================================================
+--- nmap-6.25/scripts/domino-enum-users.nse	(revision 31575)
++++ nmap-6.25/scripts/domino-enum-users.nse	(revision 31576)
[email protected]@ -103,7 +103,7 @@
+ 		helper:disconnect()
+ 		
+ 		if ( status and data and path ) then
+-			local filename = ("%s/%s.id"):format(path, username )
++			local filename = path .. "/" .. stdnse.filename_escape(u_details.fullname .. ".id")
+ 			local status, err = saveIDFile( filename, data )
+ 			
+ 			if ( status ) then
+# Index: scripts/ms-sql-dump-hashes.nse
+# ===================================================================
+--- nmap-6.25/scripts/ms-sql-dump-hashes.nse	(revision 31575)
++++ nmap-6.25/scripts/ms-sql-dump-hashes.nse	(revision 31576)
[email protected]@ -119,7 +119,7 @@
+ 				local filename
+ 				if ( dir ) then
+ 					local instance = instance:GetName():match("%\\+(.+)$") or instance:GetName()
+-					filename = ("%s/%s_%s_ms-sql_hashes.txt"):format(dir, host.ip, instance)
++					filename = dir .. "/" .. stdnse.filename_escape(("%s_%s_ms-sql_hashes.txt"):format(host.ip, instance))
+ 					saveToFile(filename, instanceOutput[1])
+ 				end				
+ 			end
+# Index: scripts/snmp-ios-config.nse
+# ===================================================================
+--- nmap-6.25/scripts/snmp-ios-config.nse	(revision 31575)
++++ nmap-6.25/scripts/snmp-ios-config.nse	(revision 31576)
[email protected]@ -184,7 +184,7 @@
+ 			result = ( infile and infile:getContent() )
+ 			
+ 			if ( tftproot ) then
+-				local fname = tftproot .. host.ip .. "-config"
++				local fname = tftproot .. stdnse.filename_escape(host.ip .. "-config")
+ 				local file, err = io.open(fname, "w")
+ 				if ( file ) then
+ 					file:write(result)
+# Index: nselib/stdnse.lua
+# ===================================================================
+--- nmap-6.25/nselib/stdnse.lua	(revision 31575)
++++ nmap-6.25/nselib/stdnse.lua	(revision 31576)
[email protected]@ -1195,4 +1195,36 @@
+   return aux(obj, "")
+ end
+ 
++-- This pattern must match the percent sign '%' since it is used in
++-- escaping.
++local FILESYSTEM_UNSAFE = "[^a-zA-Z0-9._-]"
++---
++-- Escape a string to remove bytes and strings that may have meaning to
++-- a filesystem, such as slashes. All bytes are escaped, except for:
++-- * alphabetic <code>a</code>-<code>z</code> and <code>A</code>-<code>Z</code>, digits 0-9, <code>.</code> <code>_</code> <code>-</code>
++-- In addition, the strings <code>"."</code> and <code>".."</code> have
++-- their characters escaped.
++--
++-- Bytes are escaped by a percent sign followed by the two-digit
++-- hexadecimal representation of the byte value.
++-- * <code>filename_escape("filename.ext") --> "filename.ext"</code>
++-- * <code>filename_escape("input/output") --> "input%2foutput"</code>
++-- * <code>filename_escape(".") --> "%2e"</code>
++-- * <code>filename_escape("..") --> "%2e%2e"</code>
++-- This escaping is somewhat like that of JavaScript
++-- <code>encodeURIComponent</code>, except that fewer bytes are
++-- whitelisted, and it works on bytes, not Unicode characters or UTF-16
++-- code points.
++function filename_escape(s)
++  if s == "." then
++    return "%2e"
++  elseif s == ".." then
++    return "%2e%2e"
++  else
++    return (string.gsub(s, FILESYSTEM_UNSAFE, function (c)
++      return string.format("%%%02x", string.byte(c))
++    end))
++  end
++end
++
+ return _ENV;
+