[gentoo-commits] gentoo-x86 commit in www-servers/thttpd/files: thttpd-fix-world-readable-log.patch - gentoo-commits

From:	"Anthony G. Basile (blueness)" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in www-servers/thttpd/files: thttpd-fix-world-readable-log.patch
Date:	Tue, 26 Feb 2013 20:04:39
Message-Id:	`20130226200433.310B720081@flycatcher.gentoo.org`

1

blueness    13/02/26 20:04:33

2

3

  Added:                thttpd-fix-world-readable-log.patch

4

  Log:

5

  Make log read/write by thttpd user only, bug #458896, CVE-2013-0348

6

7

  (Portage version: 2.1.11.50/cvs/Linux x86_64, signed Manifest commit with key 0xF52D4BBA)

8

9

Revision  Changes    Path

10

1.1                  www-servers/thttpd/files/thttpd-fix-world-readable-log.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-servers/thttpd/files/thttpd-fix-world-readable-log.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-servers/thttpd/files/thttpd-fix-world-readable-log.patch?rev=1.1&content-type=text/plain

14

15

Index: thttpd-fix-world-readable-log.patch

16

===================================================================

17

From d2e186dbd58d274a0dea9b59357edc8498b5388d Mon Sep 17 00:00:00 2001

18

From: "Anthony G. Basile" <blueness@g.o>

19

Date: Tue, 26 Feb 2013 14:28:26 -0500

20

Subject: [PATCH] src/thttpd.c: Fix world readable log, CVE-2013-0348.

21

22

Make sure that the logfile is created or reopened as read/write

23

by thttpd user only.

24

25

X-gentoo-Bug: 458896

26

X-gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=458896

27

Reported-by:  Agostino Sarubbo <ago@g.o>

28

Signed-off-by: Anthony G. Basile <basile@××××××××××××××.edu>

29

---

30

 src/thttpd.c | 8 ++++++--

31

 1 file changed, 6 insertions(+), 2 deletions(-)

32

33

diff --git a/src/thttpd.c b/src/thttpd.c

34

index 019b8c0..f33a7a7 100644

35

--- a/src/thttpd.c

36

+++ b/src/thttpd.c

37

@@ -326,6 +326,7 @@ static void

38

 re_open_logfile( void )

39

{

40

     FILE* logfp;

41

+    int retchmod;

42

43

     if ( no_log || hs == (httpd_server*) 0 )

44

 	return;

45

@@ -335,7 +336,8 @@ re_open_logfile( void )

46

{

47

 	syslog( LOG_NOTICE, "re-opening logfile" );

48

 	logfp = fopen( logfile, "a" );

49

-	if ( logfp == (FILE*) 0 )

50

+	retchmod = chmod( logfile, S_IRUSR|S_IWUSR );

51

+	if ( logfp == (FILE*) 0 || retchmod != 0 )

52

{

53

 	    syslog( LOG_CRIT, "re-opening %.80s - %m", logfile );

54

 	    return;

55

@@ -355,6 +357,7 @@ main( int argc, char** argv )

56

     gid_t gid = 32767;

57

     char cwd[MAXPATHLEN+1];

58

     FILE* logfp;

59

+    int retchmod;

60

     int num_ready;

61

     int cnum;

62

     connecttab* c;

63

@@ -424,7 +427,8 @@ main( int argc, char** argv )

64

 	else

65

{

66

 	    logfp = fopen( logfile, "a" );

67

-	    if ( logfp == (FILE*) 0 )

68

+	    retchmod = chmod( logfile, S_IRUSR|S_IWUSR );

69

+	    if ( logfp == (FILE*) 0 || retchmod != 0 )

70

{

71

 		syslog( LOG_CRIT, "%.80s - %m", logfile );

72

 		perror( logfile );

73

--

74

1.7.12.4

1	blueness 13/02/26 20:04:33
2
3	Added: thttpd-fix-world-readable-log.patch
4	Log:
5	Make log read/write by thttpd user only, bug #458896, CVE-2013-0348
6
7	(Portage version: 2.1.11.50/cvs/Linux x86_64, signed Manifest commit with key 0xF52D4BBA)
8
9	Revision Changes Path
10	1.1 www-servers/thttpd/files/thttpd-fix-world-readable-log.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-servers/thttpd/files/thttpd-fix-world-readable-log.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/www-servers/thttpd/files/thttpd-fix-world-readable-log.patch?rev=1.1&content-type=text/plain
14
15	Index: thttpd-fix-world-readable-log.patch
16	===================================================================
17	From d2e186dbd58d274a0dea9b59357edc8498b5388d Mon Sep 17 00:00:00 2001
18	From: "Anthony G. Basile" <blueness@g.o>
19	Date: Tue, 26 Feb 2013 14:28:26 -0500
20	Subject: [PATCH] src/thttpd.c: Fix world readable log, CVE-2013-0348.
21
22	Make sure that the logfile is created or reopened as read/write
23	by thttpd user only.
24
25	X-gentoo-Bug: 458896
26	X-gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=458896
27	Reported-by: Agostino Sarubbo <ago@g.o>
28	Signed-off-by: Anthony G. Basile <basile@××××××××××××××.edu>
29	---
30	src/thttpd.c \| 8 ++++++--
31	1 file changed, 6 insertions(+), 2 deletions(-)
32
33	diff --git a/src/thttpd.c b/src/thttpd.c
34	index 019b8c0..f33a7a7 100644
35	--- a/src/thttpd.c
36	+++ b/src/thttpd.c
37	@@ -326,6 +326,7 @@ static void
38	re_open_logfile( void )
39	{
40	FILE* logfp;
41	+ int retchmod;
42
43	if ( no_log \|\| hs == (httpd_server*) 0 )
44	return;
45	@@ -335,7 +336,8 @@ re_open_logfile( void )
46	{
47	syslog( LOG_NOTICE, "re-opening logfile" );
48	logfp = fopen( logfile, "a" );
49	- if ( logfp == (FILE*) 0 )
50	+ retchmod = chmod( logfile, S_IRUSR\|S_IWUSR );
51	+ if ( logfp == (FILE*) 0 \|\| retchmod != 0 )
52	{
53	syslog( LOG_CRIT, "re-opening %.80s - %m", logfile );
54	return;
55	@@ -355,6 +357,7 @@ main( int argc, char** argv )
56	gid_t gid = 32767;
57	char cwd[MAXPATHLEN+1];
58	FILE* logfp;
59	+ int retchmod;
60	int num_ready;
61	int cnum;
62	connecttab* c;
63	@@ -424,7 +427,8 @@ main( int argc, char** argv )
64	else
65	{
66	logfp = fopen( logfile, "a" );
67	- if ( logfp == (FILE*) 0 )
68	+ retchmod = chmod( logfile, S_IRUSR\|S_IWUSR );
69	+ if ( logfp == (FILE*) 0 \|\| retchmod != 0 )
70	{
71	syslog( LOG_CRIT, "%.80s - %m", logfile );
72	perror( logfile );
73	--
74	1.7.12.4

Gentoo Archives: gentoo-commits