Your message dated Wed, 24 Sep 2025 22:06:55 +0000
with message-id <[email protected]>
and subject line Bug#1115848: fixed in nncp 8.12.1-1
has caused the Debian Bug report #1115848,
regarding nncp: CVE-2025-60020: path traversal attack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1115848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115848
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nncp
Tags: security
Severity: critical
Version: 8.11.0-4+b4
-------------------- Start of forwarded message --------------------
From: Eugene Medvedev <[email protected]>
Subject: NNCP path traversal attack.
As it currently stands, NNCP is vulnerable to path traversal attacks with
freq and file functions: Despite the requirement for both to supply full path
in configuration, both types of packets will accept and act upon paths
containing
"..". Most obviously, this allows one to request any file NNCP has access to,
like its own configuration file with the private keys in it.
Likewise, a sent file can break out of the incoming directory in the same manner
and be written anywhere on the system that the user can write to.
The included patch is my take on dealing with this by by limiting path
traversal to
below the configured full path. It does nothing about, e.g., symlinks,
and I'm not sure anything should be done about those.
I can't claim to understand the codebase sufficiently to have caught
all the ways
this can happen, however.
--
Eugene Medvedev
As it currently stands, NNCP is vulnerable to path traversal attacks with
freq and file functions: Despite the requirement for both to supply full path
in configuration, both types of packets will accept and act upon paths containing
"..". Most obviously, this allows one to request any file NNCP has access to,
like its own configuration file with the private keys in it.
Likewise, a sent file can break out of the incoming directory in the same manner
and be written anywhere on the system that the user can write to.
This patch is my take on dealing with this by by limiting path traversal to
below the configured full path. It does nothing about, e.g., symlinks,
and I'm not sure anything should be done about those.
diff -ruN nncp-8.11.0/src/toss.go nncp-8.11.0-patched/src/toss.go
--- nncp-8.11.0/src/toss.go 1970-01-01 03:00:00.000000000 +0300
+++ nncp-8.11.0-patched/src/toss.go 2025-09-18 23:26:07.988137948 +0300
@@ -312,6 +312,17 @@
return err
}
dir := filepath.Join(*incoming, path.Dir(dst))
+ if !strings.HasPrefix(dir, *incoming) {
+ err = errors.New("incoming path traversal")
+ ctx.LogE("rx-traversal", les, err, func(les LEs) string {
+ return fmt.Sprintf(
+ "Tossing file %s/%s (%s): %s: traversal",
+ sender.Name, pktName,
+ humanize.IBytes(pktSize), dst,
+ )
+ })
+ return err
+ }
if err = os.MkdirAll(dir, os.FileMode(0777)); err != nil {
ctx.LogE("rx-mkdir", les, err, func(les LEs) string {
return fmt.Sprintf(
@@ -542,11 +553,26 @@
)
return err
}
+ srcPath := filepath.Join(*freqPath, src)
+ if !strings.HasPrefix(srcPath, *freqPath) {
+ err = errors.New("freqing path traversal")
+ ctx.LogE(
+ "rx-no-freq", les, err,
+ func(les LEs) string {
+ return fmt.Sprintf(
+ "Tossing freq %s/%s (%s): %s -> %s",
+ sender.Name, pktName,
+ humanize.IBytes(pktSize), src, dst,
+ )
+ },
+ )
+ return err
+ }
if !opts.DryRun {
err = ctx.TxFile(
sender,
pkt.Nice,
- filepath.Join(*freqPath, src),
+ srcPath,
dst,
sender.FreqChunked,
sender.FreqMinSize,
-------------------- End of forwarded message --------------------
--- End Message ---
--- Begin Message ---
Source: nncp
Source-Version: 8.12.1-1
Done: John Goerzen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nncp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
John Goerzen <[email protected]> (supplier of updated nncp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Sep 2025 06:10:30 -0500
Source: nncp
Architecture: source
Version: 8.12.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: John Goerzen <[email protected]>
Closes: 1098443 1102004 1106326 1114224 1115848
Changes:
nncp (8.12.1-1) unstable; urgency=high
.
* New upstream release. Fixes CVE-2025-60020. Closes: #1115848.
* Updated translation files. Closes: #1098443, #1102004, #1106326.
* Updated build-dep on Yggdrasil, fixes FTBFS. Closes: #1114224.
Checksums-Sha1:
ff7621a0802693a8ca95f09bdd60809533cd19a8 2875 nncp_8.12.1-1.dsc
73526b05d334f8a4f1cc3f4b5f91b8295b1c961e 175916 nncp_8.12.1.orig.tar.xz
08027a89af4683554ec723df3bc06e9395bf7a97 11044 nncp_8.12.1-1.debian.tar.xz
7e63d4ca793f9f66f798d0c14501f6c52d65c7d1 19880 nncp_8.12.1-1_source.buildinfo
Checksums-Sha256:
ad64a95b0cd394448c7ead5422ceb479f609e6e85620205b648a20193685f3db 2875
nncp_8.12.1-1.dsc
4bf3d90bd06685781a7c2b2f2b02a5bb4f7475f3bbae8f73850f5ba5f765419d 175916
nncp_8.12.1.orig.tar.xz
f0f36abe4e4f7bc59f1bde586a5f2c160f97aafa7c595a70b5c903ef44394f49 11044
nncp_8.12.1-1.debian.tar.xz
f21da830a0bff930f10d78cdd62fc9a4863a5f9d7ed9b1ce9e2939eb79e2b07c 19880
nncp_8.12.1-1_source.buildinfo
Files:
ab6d0bfa8dcc2f738366577df6268f7f 2875 golang optional nncp_8.12.1-1.dsc
eba51d849df9c93cbb603e7126f86769 175916 golang optional nncp_8.12.1.orig.tar.xz
b1cadb35bf837ce297166360130e8320 11044 golang optional
nncp_8.12.1-1.debian.tar.xz
4201ffa6936a77ce3d3ebf778c77b850 19880 golang optional
nncp_8.12.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEJ217d7abdWx8toZp3Sn4hEKDntMFAmjUaVcACgkQ3Sn4hEKD
ntNCGw//fFTAk24KraXHZbdDqqvRKcaLlp3gYXIaTLQ1l9/8qSCLkDHKjpAKraJ8
q/8goad2MeQFzAAgGv453XSNGyWPHnk7ONu+aTVdOQUHnE+4QQp+QeEktFeJLqqe
F9p6K5S37PCNaBUxKeiHG0K3S9XZ2nBoq94GFtPe4B7WGuvdrN/BgvAoe4f1vBu7
ag+PuU0HuYdkrmFU9tYkrj0vwrzbLG5+sz+2Uw+R57KZ+/3GxwDcpEKsa8GvF7Kx
yLoAGWfG/rqx3gogO8GHBLqXwCDi64kbXlXTxOmzI6DalCo2S/a0KiMQEc3OGZiH
KE5HwXp7sH7l6V8J1gHBPAnJ41x15qDFuEgF8DBuEbzlbtiyiyGTFawC+AikFIp9
eM8xwsnizv4pO8llRRSbYd9Ni+uN3Y2H3QsUa5p2HMavVV64DeW/ZjSKFCbsgjGa
Lok4C7t78CjYANbX7bww4U0ur/gjKhMPh9n6ICL0ThVmHM2FRj9Hnh6BAXkRc/yR
+XfG5d2e+rElyUQG3hFKat1u4hjDTzXxT0Qrwhc/As5y+4zkumIpCNorb4Ci5dEX
PNuVywE9mYTdS/f8nwXvJWfQHGnZql7PmNnE/JNboTXvhmoSGIJnnJoSncy1+9cf
9Ac6iQDGbJyfKXnhz3c586WeMJOAtFX5ZBr/3ABWRdr4S9vdSU8=
=O+ey
-----END PGP SIGNATURE-----
pgpNzRhIyOY1D.pgp
Description: PGP signature
--- End Message ---
