[gentoo-commits] gentoo-x86 commit in kde-base/kdelibs/files: kdelibs-3.5.8-kinit-CVE-2008-1671.patch - gentoo-commits

From:	"Jeroen Roovers (jer)" <jer@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in kde-base/kdelibs/files: kdelibs-3.5.8-kinit-CVE-2008-1671.patch
Date:	Mon, 28 Apr 2008 12:32:27
Message-Id:	`E1JqSWv-0004F4-1r@stork.gentoo.org`

1

jer         08/04/28 12:32:25

2

3

  Added:                kdelibs-3.5.8-kinit-CVE-2008-1671.patch

4

  Log:

5

  Straight to stable (bug #218933).

6

  (Portage version: 2.1.5_rc6, RepoMan options: --force)

7

8

Revision  Changes    Path

9

1.1                  kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch

10

11

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch?rev=1.1&view=markup

12

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch?rev=1.1&content-type=text/plain

13

14

Index: kdelibs-3.5.8-kinit-CVE-2008-1671.patch

15

===================================================================

16

--- kinit/start_kdeinit.c

17

+++ kinit/start_kdeinit.c

18

@@ -37,9 +37,10 @@

19

  not have this protection, kdeinit will after forking send the new

20

  PID using the pipe and wait for a signal. This parent will reset the protection

21

  and SIGUSR1 the process to continue.

22

+ returns 1 if pid is valid

23

*/

24

25

-static void set_protection( pid_t pid, int enable )

26

+static int set_protection( pid_t pid, int enable )

27

{

28

    char buf[ 1024 ];

29

    int procfile;

30

@@ -49,7 +50,7 @@ static void set_protection( pid_t pid, i

31

           belongs to this user. */

32

        struct stat st;

33

        if( lstat( buf, &st ) < 0 || st.st_uid != getuid())

34

-           return;

35

+           return 0;

36

}

37

    procfile = open( buf, O_WRONLY );

38

    if( procfile >= 0 ) {

39

@@ -59,6 +60,7 @@ static void set_protection( pid_t pid, i

40

          write( procfile, "0", sizeof( "0" ));

41

       close( procfile );

42

}

43

+   return 1;

44

}

45

46

 int main(int argc, char **argv)

47

@@ -67,14 +69,14 @@ int main(int argc, char **argv)

48

    int new_argc;

49

    const char** new_argv;

50

    char helper_num[ 1024 ];

51

-   int i;

52

+   unsigned i;

53

    char** orig_environ = NULL;

54

    char header[ 7 ];

55

    if( pipe( pipes ) < 0 ) {

56

       perror( "pipe()" );

57

       return 1;

58

}

59

-   if( argc > 1000 )

60

+   if( argc < 0 || argc > 1000 )

61

        abort(); /* paranoid */

62

    set_protection( getpid(), 1 );

63

    switch( fork()) {

64

@@ -82,29 +84,30 @@ int main(int argc, char **argv)

65

          perror( "fork()" );

66

          return 1;

67

       default: /* parent, drop privileges and exec */

68

-#if defined (HAVE_SETEUID) && !defined (HAVE_SETEUID_FAKE) 

69

-         seteuid(getuid());

70

-#else

71

-         setreuid(-1, getuid());

72

-#endif

73

-         if (geteuid() != getuid()) {

74

+         if (setgid(getgid())) {

75

+             perror("setgid()");

76

+             return 1;

77

+         }

78

+         if (setuid(getuid()) || geteuid() != getuid()) {

79

             perror("setuid()");

80

             return 1;

81

}

82

          close( pipes[ 0 ] );

83

          /* read original environment passed by start_kdeinit_wrapper */

84

          if( read( 0, header, 7 ) == 7 && strncmp( header, "environ", 7 ) == 0 ) {

85

-             int count;

86

-             if( read( 0, &count, sizeof( int )) == sizeof( int )) {

87

+             unsigned count;

88

+             if( read( 0, &count, sizeof( unsigned )) == sizeof( unsigned )

89

+                 && count && count < (1<<16)) {

90

                  char** env = malloc(( count + 1 ) * sizeof( char* ));

91

                  int ok = 1;

92

                  for( i = 0;

93

                       i < count && ok;

94

                       ++i ) {

95

-                     int len;

96

-                     if( read( 0, &len, sizeof( int )) == sizeof( int )) {

97

+                     unsigned len;

98

+                     if( read( 0, &len, sizeof( unsigned )) == sizeof( unsigned )

99

+                         && len && len < (1<<12)) {

100

                          env[ i ] = malloc( len + 1 );

101

-                         if( read( 0, env[ i ], len ) == len ) {

102

+                         if( (unsigned) read( 0, env[ i ], len ) == len ) {

103

                              env[ i ][ len ] = '\0';

104

                          } else {

105

                              ok = 0;

106

@@ -128,7 +131,7 @@ int main(int argc, char **argv)

107

          sprintf( helper_num, "%d", pipes[ 1 ] );

108

          new_argv[ 2 ] = helper_num;

109

          for( i = 1;

110

-              i <= argc;

111

+              i <= (unsigned) argc;

112

               ++i )

113

              new_argv[ i + 2 ] = argv[ i ];

114

          if( orig_environ )

115

@@ -145,10 +148,10 @@ int main(int argc, char **argv)

116

             if( ret < 0 && errno == EINTR )

117

                continue;

118

             if( ret <= 0 ) /* pipe closed or error, exit */

119

-               return 0;

120

+               _exit(0);

121

             if( pid != 0 ) {

122

-                set_protection( pid, 0 );

123

-                kill( pid, SIGUSR1 );

124

+                if (set_protection( pid, 0 ))

125

+                    kill( pid, SIGUSR1 );

126

}

127

}

128

}

--

133

gentoo-commits@l.g.o mailing list

1	jer 08/04/28 12:32:25
2
3	Added: kdelibs-3.5.8-kinit-CVE-2008-1671.patch
4	Log:
5	Straight to stable (bug #218933).
6	(Portage version: 2.1.5_rc6, RepoMan options: --force)
7
8	Revision Changes Path
9	1.1 kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch
10
11	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch?rev=1.1&view=markup
12	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/kde-base/kdelibs/files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch?rev=1.1&content-type=text/plain
13
14	Index: kdelibs-3.5.8-kinit-CVE-2008-1671.patch
15	===================================================================
16	--- kinit/start_kdeinit.c
17	+++ kinit/start_kdeinit.c
18	@@ -37,9 +37,10 @@
19	not have this protection, kdeinit will after forking send the new
20	PID using the pipe and wait for a signal. This parent will reset the protection
21	and SIGUSR1 the process to continue.
22	+ returns 1 if pid is valid
23	*/
24
25	-static void set_protection( pid_t pid, int enable )
26	+static int set_protection( pid_t pid, int enable )
27	{
28	char buf[ 1024 ];
29	int procfile;
30	@@ -49,7 +50,7 @@ static void set_protection( pid_t pid, i
31	belongs to this user. */
32	struct stat st;
33	if( lstat( buf, &st ) < 0 \|\| st.st_uid != getuid())
34	- return;
35	+ return 0;
36	}
37	procfile = open( buf, O_WRONLY );
38	if( procfile >= 0 ) {
39	@@ -59,6 +60,7 @@ static void set_protection( pid_t pid, i
40	write( procfile, "0", sizeof( "0" ));
41	close( procfile );
42	}
43	+ return 1;
44	}
45
46	int main(int argc, char **argv)
47	@@ -67,14 +69,14 @@ int main(int argc, char **argv)
48	int new_argc;
49	const char** new_argv;
50	char helper_num[ 1024 ];
51	- int i;
52	+ unsigned i;
53	char** orig_environ = NULL;
54	char header[ 7 ];
55	if( pipe( pipes ) < 0 ) {
56	perror( "pipe()" );
57	return 1;
58	}
59	- if( argc > 1000 )
60	+ if( argc < 0 \|\| argc > 1000 )
61	abort(); /* paranoid */
62	set_protection( getpid(), 1 );
63	switch( fork()) {
64	@@ -82,29 +84,30 @@ int main(int argc, char **argv)
65	perror( "fork()" );
66	return 1;
67	default: /* parent, drop privileges and exec */
68	-#if defined (HAVE_SETEUID) && !defined (HAVE_SETEUID_FAKE)
69	- seteuid(getuid());
70	-#else
71	- setreuid(-1, getuid());
72	-#endif
73	- if (geteuid() != getuid()) {
74	+ if (setgid(getgid())) {
75	+ perror("setgid()");
76	+ return 1;
77	+ }
78	+ if (setuid(getuid()) \|\| geteuid() != getuid()) {
79	perror("setuid()");
80	return 1;
81	}
82	close( pipes[ 0 ] );
83	/* read original environment passed by start_kdeinit_wrapper */
84	if( read( 0, header, 7 ) == 7 && strncmp( header, "environ", 7 ) == 0 ) {
85	- int count;
86	- if( read( 0, &count, sizeof( int )) == sizeof( int )) {
87	+ unsigned count;
88	+ if( read( 0, &count, sizeof( unsigned )) == sizeof( unsigned )
89	+ && count && count < (1<<16)) {
90	char** env = malloc(( count + 1 ) * sizeof( char* ));
91	int ok = 1;
92	for( i = 0;
93	i < count && ok;
94	++i ) {
95	- int len;
96	- if( read( 0, &len, sizeof( int )) == sizeof( int )) {
97	+ unsigned len;
98	+ if( read( 0, &len, sizeof( unsigned )) == sizeof( unsigned )
99	+ && len && len < (1<<12)) {
100	env[ i ] = malloc( len + 1 );
101	- if( read( 0, env[ i ], len ) == len ) {
102	+ if( (unsigned) read( 0, env[ i ], len ) == len ) {
103	env[ i ][ len ] = '\0';
104	} else {
105	ok = 0;
106	@@ -128,7 +131,7 @@ int main(int argc, char **argv)
107	sprintf( helper_num, "%d", pipes[ 1 ] );
108	new_argv[ 2 ] = helper_num;
109	for( i = 1;
110	- i <= argc;
111	+ i <= (unsigned) argc;
112	++i )
113	new_argv[ i + 2 ] = argv[ i ];
114	if( orig_environ )
115	@@ -145,10 +148,10 @@ int main(int argc, char **argv)
116	if( ret < 0 && errno == EINTR )
117	continue;
118	if( ret <= 0 ) /* pipe closed or error, exit */
119	- return 0;
120	+ _exit(0);
121	if( pid != 0 ) {
122	- set_protection( pid, 0 );
123	- kill( pid, SIGUSR1 );
124	+ if (set_protection( pid, 0 ))
125	+ kill( pid, SIGUSR1 );
126	}
127	}
128	}
129
130
131
132	--
133	gentoo-commits@l.g.o mailing list

Gentoo Archives: gentoo-commits