Control: retitle -1 nncp: CVE-2025-60020: path traversal attack Hi,
On Sat, Sep 20, 2025 at 08:59:28AM -0500, John Goerzen wrote: > Package: nncp > Tags: security > Severity: critical > Version: 8.11.0-4+b4 > > -------------------- Start of forwarded message -------------------- > From: Eugene Medvedev <[email protected]> > Subject: NNCP path traversal attack. > > As it currently stands, NNCP is vulnerable to path traversal attacks with > freq and file functions: Despite the requirement for both to supply full path > in configuration, both types of packets will accept and act upon paths > containing > "..". Most obviously, this allows one to request any file NNCP has access to, > like its own configuration file with the private keys in it. > Likewise, a sent file can break out of the incoming directory in the same > manner > and be written anywhere on the system that the user can write to. > > The included patch is my take on dealing with this by by limiting path > traversal to > below the configured full path. It does nothing about, e.g., symlinks, > and I'm not sure anything should be done about those. > > I can't claim to understand the codebase sufficiently to have caught > all the ways > this can happen, however. CVE-2025-60020 has been assigned for this issue. Regards, Salvatore
