Bug#1115848: marked as done (nncp: CVE-2025-60020: path traversal attack)

[Debian Bug Tracking System]

Your message dated Sun, 28 Sep 2025 12:51:28 +0000
with message-id <e1v2qsc-00abub...@fasolo.debian.org>
and subject line Bug#1115848: fixed in nncp 8.8.2-3+deb12u1
has caused the Debian Bug report #1115848,
regarding nncp: CVE-2025-60020: path traversal attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1115848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115848
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: nncp
Tags: security
Severity: critical
Version: 8.11.0-4+b4

-------------------- Start of forwarded message --------------------
From: Eugene Medvedev <rn3ao...@gmail.com>
Subject: NNCP path traversal attack.


As it currently stands, NNCP is vulnerable to path traversal attacks with
freq and file functions: Despite the requirement for both to supply full path
in configuration, both types of packets will accept and act upon paths
containing
"..". Most obviously, this allows one to request any file NNCP has access to,
like its own configuration file with the private keys in it.
Likewise, a sent file can break out of the incoming directory in the same manner
and be written anywhere on the system that the user can write to.

The included patch is my take on dealing with this by by limiting path
traversal to
below the configured full path. It does nothing about, e.g., symlinks,
and I'm not sure anything should be done about those.

I can't claim to understand the codebase sufficiently to have caught
all the ways
this can happen, however.

-- 
Eugene Medvedev

As it currently stands, NNCP is vulnerable to path traversal attacks with
freq and file functions: Despite the requirement for both to supply full path
in configuration, both types of packets will accept and act upon paths containing
"..". Most obviously, this allows one to request any file NNCP has access to,
like its own configuration file with the private keys in it.
Likewise, a sent file can break out of the incoming directory in the same manner
and be written anywhere on the system that the user can write to.

This patch is my take on dealing with this by by limiting path traversal to
below the configured full path. It does nothing about, e.g., symlinks,
and I'm not sure anything should be done about those.

diff -ruN nncp-8.11.0/src/toss.go nncp-8.11.0-patched/src/toss.go
--- nncp-8.11.0/src/toss.go	1970-01-01 03:00:00.000000000 +0300
+++ nncp-8.11.0-patched/src/toss.go	2025-09-18 23:26:07.988137948 +0300
@@ -312,6 +312,17 @@
 			return err
 		}
 		dir := filepath.Join(*incoming, path.Dir(dst))
+		if !strings.HasPrefix(dir, *incoming) {
+			err = errors.New("incoming path traversal")
+			ctx.LogE("rx-traversal", les, err, func(les LEs) string {
+				return fmt.Sprintf(
+					"Tossing file %s/%s (%s): %s: traversal",
+					sender.Name, pktName,
+					humanize.IBytes(pktSize), dst,
+				)
+			})
+			return err
+		}
 		if err = os.MkdirAll(dir, os.FileMode(0777)); err != nil {
 			ctx.LogE("rx-mkdir", les, err, func(les LEs) string {
 				return fmt.Sprintf(
@@ -542,11 +553,26 @@
 			)
 			return err
 		}
+		srcPath := filepath.Join(*freqPath, src)
+		if !strings.HasPrefix(srcPath, *freqPath) {
+			err = errors.New("freqing path traversal")
+			ctx.LogE(
+				"rx-no-freq", les, err,
+				func(les LEs) string {
+					return fmt.Sprintf(
+						"Tossing freq %s/%s (%s): %s -> %s",
+						sender.Name, pktName,
+						humanize.IBytes(pktSize), src, dst,
+					)
+				},
+			)
+			return err
+		}
 		if !opts.DryRun {
 			err = ctx.TxFile(
 				sender,
 				pkt.Nice,
-				filepath.Join(*freqPath, src),
+				srcPath,
 				dst,
 				sender.FreqChunked,
 				sender.FreqMinSize,

-------------------- End of forwarded message --------------------

--- End Message ---

--- Begin Message ---

Source: nncp
Source-Version: 8.8.2-3+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>

We believe that the bug you reported is fixed in the latest version of
nncp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1115...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated nncp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 Sep 2025 12:57:55 +0200
Source: nncp
Architecture: source
Version: 8.8.2-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1115848
Changes:
 nncp (8.8.2-3+deb12u1) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Prevent path traversal during freq/file (CVE-2025-60020)
     (Closes: #1115848)
Checksums-Sha1:
 50499508d6e115792ebea46b80e2bd82d5255973 2821 nncp_8.8.2-3+deb12u1.dsc
 c4273d677a17c178096d3ed1098ff91b61e76ee3 172196 nncp_8.8.2.orig.tar.xz
 a357ecd58aadd2b69a1f2df22df1f8dba14e5e90 8692 
nncp_8.8.2-3+deb12u1.debian.tar.xz
 3b6c7cb9e0a11371f82add83ee71f0e3a9d4d621 6147 
nncp_8.8.2-3+deb12u1_source.buildinfo
Checksums-Sha256:
 7f71930be53ccae0bd6a6fe76742203619c2578ee553807780e24e5b1a24a198 2821 
nncp_8.8.2-3+deb12u1.dsc
 5224e46647a88cbe3d89fc3e7b9f3d3988feed6916debe65569808a88ffa23cc 172196 
nncp_8.8.2.orig.tar.xz
 c8b139b2c146492639df59bb8a23fda8f7e9c3eb4c9706f0090203e1079ce4c7 8692 
nncp_8.8.2-3+deb12u1.debian.tar.xz
 053bcfb5610c03e52b0b0f4e1191c828e6918ae93fedb25e4077b11519585416 6147 
nncp_8.8.2-3+deb12u1_source.buildinfo
Files:
 e037999ea6a53f7f77ff8863edd5f026 2821 golang optional nncp_8.8.2-3+deb12u1.dsc
 095d09010c69348ac76c430cc43e5be3 172196 golang optional nncp_8.8.2.orig.tar.xz
 93ab01236ee926b5708c88218b5d0e95 8692 golang optional 
nncp_8.8.2-3+deb12u1.debian.tar.xz
 da1ce2292a21d830f1f0fa30937544aa 6147 golang optional 
nncp_8.8.2-3+deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmjVisJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbSQP/ju1Tw0NMWzFx7fdWcp81ljP+/4W7fnu
nJeVBnuW8WitGL0dTuC+/5oXH/3KZczaMZLHptQn5NMHeUQORWe/OE+93dpXjSl7
sK64mieOPKWvVhDx+rUZUnycdm5Efhqs/8YHBLJZuAb6XiApNmKyogrkgnngzJAs
IJUT7o0UlWaCMiMP10aun8+Q/hetsxxivi+isXGx8kgVT8O3GPQPJXb1KFdQ+zaV
7TEpE7XDMsWf9KPOn7H53kQrSA1Tg/URzkSk+47lNtIzi6eIu9Gf4lOb3BMHOk8x
ZCYi+JxVUOPyCf3fz/sMfC253JFZ7+47y/QDOZhqwaN21eD5B9wUQ3CgFe9z9YCG
SniALI3zMKSi7kdBP5b22QSPs1LxJ0zeAWEbiMx8FaTGb34oC4+86fDqXXlqOMtQ
Vz6363/mAy++0RRoEseNF7dAuqeYVbj4Ejzo+HHI7nILuZ1raSh4r3Ziued9kOnQ
y4A1DU/xkXfXVPmTm4gCzBHzqQ+nmpEnA5YoLe8xBem+LEIRMX4013hC4Zu/gFbl
5M7z641Rho+Cb4wDzW/1EkZJuQ4Y3W6dyE0W5zdEphCP0l/0quTHcf5hq0RaoHu/
XkL8I3Hj5u7OvOATDWaXilSNnL4as2ifpkaF8fHuVTyHzyjtCxPIRGIxPci1LJrX
1F4Vc9Emzl/k
=5nMO
-----END PGP SIGNATURE-----

pgpZUiwup74lM.pgp
Description: PGP signature

--- End Message ---