Bug#1115848: marked as done (nncp: CVE-2025-60020: path traversal attack)

[Debian Bug Tracking System]

Your message dated Mon, 13 Oct 2025 18:20:36 +0000
with message-id <e1v8n9w-004kg2...@fasolo.debian.org>
and subject line Bug#1115848: fixed in nncp 8.11.0-4+deb13u1
has caused the Debian Bug report #1115848,
regarding nncp: CVE-2025-60020: path traversal attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1115848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115848
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: nncp
Tags: security
Severity: critical
Version: 8.11.0-4+b4

-------------------- Start of forwarded message --------------------
From: Eugene Medvedev <rn3ao...@gmail.com>
Subject: NNCP path traversal attack.


As it currently stands, NNCP is vulnerable to path traversal attacks with
freq and file functions: Despite the requirement for both to supply full path
in configuration, both types of packets will accept and act upon paths
containing
"..". Most obviously, this allows one to request any file NNCP has access to,
like its own configuration file with the private keys in it.
Likewise, a sent file can break out of the incoming directory in the same manner
and be written anywhere on the system that the user can write to.

The included patch is my take on dealing with this by by limiting path
traversal to
below the configured full path. It does nothing about, e.g., symlinks,
and I'm not sure anything should be done about those.

I can't claim to understand the codebase sufficiently to have caught
all the ways
this can happen, however.

-- 
Eugene Medvedev

As it currently stands, NNCP is vulnerable to path traversal attacks with
freq and file functions: Despite the requirement for both to supply full path
in configuration, both types of packets will accept and act upon paths containing
"..". Most obviously, this allows one to request any file NNCP has access to,
like its own configuration file with the private keys in it.
Likewise, a sent file can break out of the incoming directory in the same manner
and be written anywhere on the system that the user can write to.

This patch is my take on dealing with this by by limiting path traversal to
below the configured full path. It does nothing about, e.g., symlinks,
and I'm not sure anything should be done about those.

diff -ruN nncp-8.11.0/src/toss.go nncp-8.11.0-patched/src/toss.go
--- nncp-8.11.0/src/toss.go	1970-01-01 03:00:00.000000000 +0300
+++ nncp-8.11.0-patched/src/toss.go	2025-09-18 23:26:07.988137948 +0300
@@ -312,6 +312,17 @@
 			return err
 		}
 		dir := filepath.Join(*incoming, path.Dir(dst))
+		if !strings.HasPrefix(dir, *incoming) {
+			err = errors.New("incoming path traversal")
+			ctx.LogE("rx-traversal", les, err, func(les LEs) string {
+				return fmt.Sprintf(
+					"Tossing file %s/%s (%s): %s: traversal",
+					sender.Name, pktName,
+					humanize.IBytes(pktSize), dst,
+				)
+			})
+			return err
+		}
 		if err = os.MkdirAll(dir, os.FileMode(0777)); err != nil {
 			ctx.LogE("rx-mkdir", les, err, func(les LEs) string {
 				return fmt.Sprintf(
@@ -542,11 +553,26 @@
 			)
 			return err
 		}
+		srcPath := filepath.Join(*freqPath, src)
+		if !strings.HasPrefix(srcPath, *freqPath) {
+			err = errors.New("freqing path traversal")
+			ctx.LogE(
+				"rx-no-freq", les, err,
+				func(les LEs) string {
+					return fmt.Sprintf(
+						"Tossing freq %s/%s (%s): %s -> %s",
+						sender.Name, pktName,
+						humanize.IBytes(pktSize), src, dst,
+					)
+				},
+			)
+			return err
+		}
 		if !opts.DryRun {
 			err = ctx.TxFile(
 				sender,
 				pkt.Nice,
-				filepath.Join(*freqPath, src),
+				srcPath,
 				dst,
 				sender.FreqChunked,
 				sender.FreqMinSize,

-------------------- End of forwarded message --------------------

--- End Message ---

--- Begin Message ---

Source: nncp
Source-Version: 8.11.0-4+deb13u1
Done: Salvatore Bonaccorso <car...@debian.org>

We believe that the bug you reported is fixed in the latest version of
nncp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1115...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated nncp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 Sep 2025 12:39:13 +0200
Source: nncp
Architecture: source
Version: 8.11.0-4+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1115848
Changes:
 nncp (8.11.0-4+deb13u1) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Prevent path traversal during freq/file (CVE-2025-60020)
     (Closes: #1115848)
Checksums-Sha1:
 04fd79907857942335db721e89b067ba8029455e 3062 nncp_8.11.0-4+deb13u1.dsc
 4afdfda5bf85a2715b53c34e19c1e237826f9610 175004 nncp_8.11.0.orig.tar.xz
 615bf2d2252281410babb8fd5a2970edf8f9904d 11216 
nncp_8.11.0-4+deb13u1.debian.tar.xz
 e877b8ba12ab01e61ccb6ff244148b8a4a4c2d22 6151 
nncp_8.11.0-4+deb13u1_source.buildinfo
Checksums-Sha256:
 8b866a223a5c46cfe2a07de9de773818ecd0753ad67c2898f2a309161bd10a43 3062 
nncp_8.11.0-4+deb13u1.dsc
 12b06a386994a908e4e4c36282e48972b849f39edb5d1f44550ab8bef89c7584 175004 
nncp_8.11.0.orig.tar.xz
 c47f5c693212f898ab6d167a0c26b83217a74882b16b3e9bfeadfd31a4ac6451 11216 
nncp_8.11.0-4+deb13u1.debian.tar.xz
 a676952b9b038d7a85d31b2af568569fe211c0e7a8a790edeeed5f429d422567 6151 
nncp_8.11.0-4+deb13u1_source.buildinfo
Files:
 556c201d132ee1df58229618711e7ded 3062 golang optional nncp_8.11.0-4+deb13u1.dsc
 722b08e8c4b0463c4ee84ebdbcec65f4 175004 golang optional nncp_8.11.0.orig.tar.xz
 7d78fe3df831306e9453ec603f133c72 11216 golang optional 
nncp_8.11.0-4+deb13u1.debian.tar.xz
 6cfb845fc81543b23146375dbee61b64 6151 golang optional 
nncp_8.11.0-4+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmjViopfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ECvYQAIA9QwC/v4Jih8wd4aImYRdy/SaLKW/Y
duW7c7aHe3kC+UBtK/AfPKO9UC3lOGbJZD1Kcd1amMLSodhfQdELzaIQvIqztDPb
Br2ByyLj+PA+5GP4iiCmXxWjwu/KX2SUIVEB+64B8uDdhVKXyemDuMCjNBAJWZf1
DyrIaqm6KQHCmq5BU7vUv1D5A/fh8R2LRojftsT+vdlQRQgqqmHhJpioMWVJ+cVW
idtur2IROzmz1TDKJRO5Md4s/+cP+uDAOu9KINc9bxcKSVHgdWIkV8FJf5Lt9Ws7
nh9IElF1/gYVedv5wX5+Oh0BKSCmByy7R6c+qayKIWfuMrk6dnWhGdAyPeKFLgYN
4gmKE7KI7Yq5s3o3BxJ6wLahsL6GJksxEQB542VaPlcBYtN/0G9K07LW+MdnWyfV
CYAZHav3KH3lzXvXAZcNSMMoIoZzf25xDkf/PWCKxEMwswR9Hwy0CAJ+hSGdElI7
t8I5Tjm2XtoVqdhWVpsw43/UHgPo/a0AObEnNteHKq4VUVrAG9D4E/th5eq6EW5l
dRjGCGJFjgk5epEdeE3xZB69+zhNmq/ldhXDgUbGSCGDJZeGK218VmpQlO4kk1dv
PKK46ATSkuHRwJJOrmJmIoXIvFyCLiA8LDSHLY49lvd79sFrqbAscPEeN7xoEcto
YUEl6m1BH8qE
=0+ww
-----END PGP SIGNATURE-----

pgpR2j19HrNcX.pgp
Description: PGP signature

--- End Message ---