1 |
jer 08/04/28 12:32:25 |
2 |
|
3 |
Added: kdelibs-3.5.8-kinit-CVE-2008-1671.patch |
4 |
Log: |
5 |
Straight to stable (bug #218933). |
6 |
(Portage version: 2.1.5_rc6, RepoMan options: --force) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: kdelibs-3.5.8-kinit-CVE-2008-1671.patch |
15 |
=================================================================== |
16 |
--- kinit/start_kdeinit.c |
17 |
+++ kinit/start_kdeinit.c |
18 |
@@ -37,9 +37,10 @@ |
19 |
not have this protection, kdeinit will after forking send the new |
20 |
PID using the pipe and wait for a signal. This parent will reset the protection |
21 |
and SIGUSR1 the process to continue. |
22 |
+ returns 1 if pid is valid |
23 |
*/ |
24 |
|
25 |
-static void set_protection( pid_t pid, int enable ) |
26 |
+static int set_protection( pid_t pid, int enable ) |
27 |
{ |
28 |
char buf[ 1024 ]; |
29 |
int procfile; |
30 |
@@ -49,7 +50,7 @@ static void set_protection( pid_t pid, i |
31 |
belongs to this user. */ |
32 |
struct stat st; |
33 |
if( lstat( buf, &st ) < 0 || st.st_uid != getuid()) |
34 |
- return; |
35 |
+ return 0; |
36 |
} |
37 |
procfile = open( buf, O_WRONLY ); |
38 |
if( procfile >= 0 ) { |
39 |
@@ -59,6 +60,7 @@ static void set_protection( pid_t pid, i |
40 |
write( procfile, "0", sizeof( "0" )); |
41 |
close( procfile ); |
42 |
} |
43 |
+ return 1; |
44 |
} |
45 |
|
46 |
int main(int argc, char **argv) |
47 |
@@ -67,14 +69,14 @@ int main(int argc, char **argv) |
48 |
int new_argc; |
49 |
const char** new_argv; |
50 |
char helper_num[ 1024 ]; |
51 |
- int i; |
52 |
+ unsigned i; |
53 |
char** orig_environ = NULL; |
54 |
char header[ 7 ]; |
55 |
if( pipe( pipes ) < 0 ) { |
56 |
perror( "pipe()" ); |
57 |
return 1; |
58 |
} |
59 |
- if( argc > 1000 ) |
60 |
+ if( argc < 0 || argc > 1000 ) |
61 |
abort(); /* paranoid */ |
62 |
set_protection( getpid(), 1 ); |
63 |
switch( fork()) { |
64 |
@@ -82,29 +84,30 @@ int main(int argc, char **argv) |
65 |
perror( "fork()" ); |
66 |
return 1; |
67 |
default: /* parent, drop privileges and exec */ |
68 |
-#if defined (HAVE_SETEUID) && !defined (HAVE_SETEUID_FAKE) |
69 |
- seteuid(getuid()); |
70 |
-#else |
71 |
- setreuid(-1, getuid()); |
72 |
-#endif |
73 |
- if (geteuid() != getuid()) { |
74 |
+ if (setgid(getgid())) { |
75 |
+ perror("setgid()"); |
76 |
+ return 1; |
77 |
+ } |
78 |
+ if (setuid(getuid()) || geteuid() != getuid()) { |
79 |
perror("setuid()"); |
80 |
return 1; |
81 |
} |
82 |
close( pipes[ 0 ] ); |
83 |
/* read original environment passed by start_kdeinit_wrapper */ |
84 |
if( read( 0, header, 7 ) == 7 && strncmp( header, "environ", 7 ) == 0 ) { |
85 |
- int count; |
86 |
- if( read( 0, &count, sizeof( int )) == sizeof( int )) { |
87 |
+ unsigned count; |
88 |
+ if( read( 0, &count, sizeof( unsigned )) == sizeof( unsigned ) |
89 |
+ && count && count < (1<<16)) { |
90 |
char** env = malloc(( count + 1 ) * sizeof( char* )); |
91 |
int ok = 1; |
92 |
for( i = 0; |
93 |
i < count && ok; |
94 |
++i ) { |
95 |
- int len; |
96 |
- if( read( 0, &len, sizeof( int )) == sizeof( int )) { |
97 |
+ unsigned len; |
98 |
+ if( read( 0, &len, sizeof( unsigned )) == sizeof( unsigned ) |
99 |
+ && len && len < (1<<12)) { |
100 |
env[ i ] = malloc( len + 1 ); |
101 |
- if( read( 0, env[ i ], len ) == len ) { |
102 |
+ if( (unsigned) read( 0, env[ i ], len ) == len ) { |
103 |
env[ i ][ len ] = '\0'; |
104 |
} else { |
105 |
ok = 0; |
106 |
@@ -128,7 +131,7 @@ int main(int argc, char **argv) |
107 |
sprintf( helper_num, "%d", pipes[ 1 ] ); |
108 |
new_argv[ 2 ] = helper_num; |
109 |
for( i = 1; |
110 |
- i <= argc; |
111 |
+ i <= (unsigned) argc; |
112 |
++i ) |
113 |
new_argv[ i + 2 ] = argv[ i ]; |
114 |
if( orig_environ ) |
115 |
@@ -145,10 +148,10 @@ int main(int argc, char **argv) |
116 |
if( ret < 0 && errno == EINTR ) |
117 |
continue; |
118 |
if( ret <= 0 ) /* pipe closed or error, exit */ |
119 |
- return 0; |
120 |
+ _exit(0); |
121 |
if( pid != 0 ) { |
122 |
- set_protection( pid, 0 ); |
123 |
- kill( pid, SIGUSR1 ); |
124 |
+ if (set_protection( pid, 0 )) |
125 |
+ kill( pid, SIGUSR1 ); |
126 |
} |
127 |
} |
128 |
} |
129 |
|
130 |
|
131 |
|
132 |
-- |
133 |
gentoo-commits@l.g.o mailing list |