FreeBSD Bugzilla – Attachment 107335 Details for
Bug 148099
editors/emacs22: patch available for emacs movemail vulnerability.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 3.06 KB, created by
Kazuo Dohzono
on 2010-06-24 03:20:01 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Kazuo Dohzono
Created:
2010-06-24 03:20:01 UTC
Size:
3.06 KB
patch
obsolete
>--- emacs22-22.2/lib-src/movemail.c.orig 2010-03-03 16:44:40.000000000 -0500 >+++ emacs22-22.2/lib-src/movemail.c 2010-03-24 18:07:49.000000000 -0400 >@@ -177,6 +177,10 @@ > int nread; > WAITTYPE status; > int c, preserve_mail = 0; >+ uid_t real_gid, priv_gid; >+ >+ real_gid = getgid(); >+ priv_gid = getegid(); > > #ifndef MAIL_USE_SYSTEM_LOCK > struct stat st; >@@ -248,25 +252,6 @@ > if (*outname == 0) > fatal ("Destination file name is empty", 0, 0); > >- /* Check access to output file. */ >- if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0) >- pfatal_with_name (outname); >- >- /* Also check that outname's directory is writable to the real uid. */ >- { >- char *buf = (char *) xmalloc (strlen (outname) + 1); >- char *p; >- strcpy (buf, outname); >- p = buf + strlen (buf); >- while (p > buf && !IS_DIRECTORY_SEP (p[-1])) >- *--p = 0; >- if (p == buf) >- *p++ = '.'; >- if (access (buf, W_OK) != 0) >- pfatal_with_name (buf); >- free (buf); >- } >- > #ifdef MAIL_USE_POP > if (!strncmp (inname, "po:", 3)) > { >@@ -278,15 +263,12 @@ > exit (status); > } > >- setuid (getuid ()); >+ if ( setuid (getuid ()) < 0 ) >+ fatal ("Failed to drop privileges", 0, 0); >+ > #endif /* MAIL_USE_POP */ > > #ifndef DISABLE_DIRECT_ACCESS >- >- /* Check access to input file. */ >- if (access (inname, R_OK | W_OK) != 0) >- pfatal_with_name (inname); >- > #ifndef MAIL_USE_MMDF > #ifndef MAIL_USE_SYSTEM_LOCK > #ifdef MAIL_USE_MAILLOCK >@@ -373,7 +355,8 @@ > long touched_lock, now; > #endif > >- setuid (getuid ()); >+ if ( setuid (getuid ()) < 0 || setegid (real_gid) < 0 ) >+ fatal("Failed to drop privileges", 0, 0); > > #ifndef MAIL_USE_MMDF > #ifdef MAIL_USE_SYSTEM_LOCK >@@ -399,6 +382,9 @@ > if (outdesc < 0) > pfatal_with_name (outname); > >+ if ( setegid(priv_gid) < 0 ) >+ fatal("Failed to regain privileges", 0, 0); >+ > /* This label exists so we can retry locking > after a delay, if it got EAGAIN or EBUSY. */ > retry_lock: >@@ -499,6 +485,10 @@ > /* Check to make sure no errors before we zap the inbox. */ > if (close (outdesc) != 0) > pfatal_and_delete (outname); >+ >+ /* Prevent symlink attacks truncating other users' mailboxes */ >+ if ( setegid (real_gid) < 0 ) >+ fatal("Failed to drop privileges", 0, 0); > > #ifdef MAIL_USE_SYSTEM_LOCK > if (! preserve_mail) >@@ -506,7 +496,12 @@ > #if defined (STRIDE) || defined (XENIX) > /* Stride, xenix have file locking, but no ftruncate. > This mess will do. */ >- close (open (inname, O_CREAT | O_TRUNC | O_RDWR, 0666)); >+ int indesc2 = open (inname, O_CREAT | O_TRUNC | O_RDWR, 0666); >+ if ( indesc2 < 0 ) >+ pfatal_with_name (inname) >+ >+ close (indesc2); >+ > #else > ftruncate (indesc, 0L); > #endif /* STRIDE or XENIX */ >@@ -532,6 +527,10 @@ > creat (inname, 0600); > } > #endif /* not MAIL_USE_SYSTEM_LOCK */ >+ >+ /* End of mailbox truncation */ >+ if ( setegid(priv_gid) < 0 ) >+ fatal("Failed to regain privileges", 0, 0); > > #ifdef MAIL_USE_MAILLOCK > /* This has to occur in the child, i.e., in the process that
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=107335">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 148099
: 107335