SOURCES: heimdal-0.7.2-setuid-patch.txt (NEW) - ftp://ftp.pdc.kth....
qboosh
qboosh at pld-linux.org
Mon Oct 2 18:00:13 CEST 2006
Author: qboosh Date: Mon Oct 2 16:00:13 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.7.2-setuid-patch.txt (CVE-2006-3083 CVE-2006-3084)
---- Files affected:
SOURCES:
heimdal-0.7.2-setuid-patch.txt (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/heimdal-0.7.2-setuid-patch.txt
diff -u /dev/null SOURCES/heimdal-0.7.2-setuid-patch.txt:1.1
--- /dev/null Mon Oct 2 18:00:13 2006
+++ SOURCES/heimdal-0.7.2-setuid-patch.txt Mon Oct 2 18:00:08 2006
@@ -0,0 +1,258 @@
+diff -u -r heimdal-0.7.2/appl/dceutils/ChangeLog heimdal-0.7.2-setuid/appl/dceutils/ChangeLog
+--- heimdal-0.7.2/appl/dceutils/ChangeLog 2005-04-06 13:23:17.000000000 +0200
++++ heimdal-0.7.2-setuid/appl/dceutils/ChangeLog 2006-08-31 14:49:15.000000000 +0200
+@@ -1,5 +1,9 @@
+-2005-04-06 Love Hörnquist Ĺstrand <lha at it.su.se>
++2006-08-08 Love Hörnquist Ĺstrand <lha at it.su.se>
+
++ * k5dcecon.c: Check for seteuid failure, prompted by MIT advisory.
++
++2005-04-06 Love Hörnquist Ĺstrand <lha at it.su.se>
++
+ * testpag.c: use NULL as last argument to execl, not 0
+
+ 2002-08-12 Johan Danielsson <joda at pdc.kth.se>
+diff -u -r heimdal-0.7.2/appl/dceutils/k5dcecon.c heimdal-0.7.2-setuid/appl/dceutils/k5dcecon.c
+--- heimdal-0.7.2/appl/dceutils/k5dcecon.c 2002-08-09 15:19:41.000000000 +0200
++++ heimdal-0.7.2-setuid/appl/dceutils/k5dcecon.c 2006-08-31 14:49:15.000000000 +0200
+@@ -71,7 +71,7 @@
+ #endif
+
+ #ifdef __hpux
+-#define seteuid(A) setresuid(-1,A,-1);
++#define seteuid(A) setresuid(-1,A,-1)
+ #endif
+
+
+@@ -549,7 +549,8 @@
+ */
+
+ if (uid == 0) {
+- seteuid(luid);
++ if (seteuid(luid) < 0)
++ goto abort;
+ }
+
+ cp = strchr(pname,'@');
+diff -u -r heimdal-0.7.2/appl/ftp/ChangeLog heimdal-0.7.2-setuid/appl/ftp/ChangeLog
+--- heimdal-0.7.2/appl/ftp/ChangeLog 2005-05-29 23:42:45.000000000 +0200
++++ heimdal-0.7.2-setuid/appl/ftp/ChangeLog 2006-08-31 14:49:15.000000000 +0200
+@@ -1,3 +1,9 @@
++2006-08-08 Love Hörnquist Ĺstrand <lha at it.su.se>
++
++ * rcp.c: Check return values from seteuid, prompted by MIT
++ advisory. Thanks to Tom Yu at MIT, and Michael Calmer and Marcus
++ Meissner at SUSE. Either of CVE-2006-3083 or CVE-2006-3084.
++
+ 2005-05-29 Love Hörnquist Ĺstrand <lha at it.su.se>
+
+ * ftpd/ftpd.c: avoid 'unused variable' warnings
+diff -u -r heimdal-0.7.2/appl/ftp/ftpd/ftpd.c heimdal-0.7.2-setuid/appl/ftp/ftpd/ftpd.c
+--- heimdal-0.7.2/appl/ftp/ftpd/ftpd.c 2005-06-02 12:41:28.000000000 +0200
++++ heimdal-0.7.2-setuid/appl/ftp/ftpd/ftpd.c 2006-08-31 14:49:15.000000000 +0200
+@@ -138,9 +138,9 @@
+ static int checkuser (char *, char *);
+ static int checkaccess (char *);
+ static FILE *dataconn (const char *, off_t, const char *);
+-static void dolog (struct sockaddr *sa, int len);
++static void dolog (struct sockaddr *, int);
+ static void end_login (void);
+-static FILE *getdatasock (const char *);
++static FILE *getdatasock (const char *, int);
+ static char *gunique (char *);
+ static RETSIGTYPE lostconn (int);
+ static int receive_data (FILE *, FILE *);
+@@ -835,7 +835,8 @@
+ end_login(void)
+ {
+
+- seteuid((uid_t)0);
++ if (seteuid((uid_t)0) < 0)
++ fatal("Failed to seteuid");
+ if (logged_in)
+ ftpd_logwtmp(ttyline, "", "");
+ pw = NULL;
+@@ -1208,14 +1209,15 @@
+ }
+
+ static FILE *
+-getdatasock(const char *mode)
++getdatasock(const char *mode, int domain)
+ {
+ int s, t, tries;
+
+ if (data >= 0)
+ return (fdopen(data, mode));
+- seteuid(0);
+- s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
++ if (seteuid(0) < 0)
++ fatal("Failed to seteuid");
++ s = socket(domain, SOCK_STREAM, 0);
+ if (s < 0)
+ goto bad;
+ socket_set_reuseaddr (s, 1);
+@@ -1232,7 +1234,8 @@
+ goto bad;
+ sleep(tries);
+ }
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ #ifdef IPTOS_THROUGHPUT
+ socket_set_tos (s, IPTOS_THROUGHPUT);
+ #endif
+@@ -1240,7 +1243,8 @@
+ bad:
+ /* Return the real value of errno (close may change it) */
+ t = errno;
+- seteuid((uid_t)pw->pw_uid);
++ if (seteuid((uid_t)pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ close(s);
+ errno = t;
+ return (NULL);
+@@ -1271,7 +1275,7 @@
+ {
+ char sizebuf[32];
+ FILE *file;
+- int retry = 0;
++ int domain, retry = 0;
+
+ file_size = size;
+ byte_count = 0;
+@@ -1318,7 +1322,15 @@
+ if (usedefault)
+ data_dest = his_addr;
+ usedefault = 1;
+- file = getdatasock(mode);
++ /*
++ * Default to using the same socket type as the ctrl address,
++ * unless we know the type of the data address.
++ */
++ domain = data_dest->sa_family;
++ if (domain == PF_UNSPEC)
++ domain = ctrl_addr->sa_family;
++
++ file = getdatasock(mode, domain);
+ if (file == NULL) {
+ char data_addr[256];
+
+@@ -1889,11 +1901,11 @@
+ transflag = 0;
+ urgflag = 0;
+ if (logged_in) {
+- seteuid((uid_t)0);
+- ftpd_logwtmp(ttyline, "", "");
+ #ifdef KRB4
+ cond_kdestroy();
+ #endif
++ seteuid((uid_t)0); /* No need to check, we call exit() below */
++ ftpd_logwtmp(ttyline, "", "");
+ }
+ /* beware of flushing buffers after a SIGPIPE */
+ #ifdef XXX
+@@ -2006,12 +2018,15 @@
+ 0);
+ socket_set_portrange(pdata, restricted_data_ports,
+ pasv_addr->sa_family);
+- seteuid(0);
++ if (seteuid(0) < 0)
++ fatal("Failed to seteuid");
+ if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ goto pasv_error;
+ }
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ len = sizeof(pasv_addr_ss);
+ if (getsockname(pdata, pasv_addr, &len) < 0)
+ goto pasv_error;
+@@ -2050,12 +2065,15 @@
+ 0);
+ socket_set_portrange(pdata, restricted_data_ports,
+ pasv_addr->sa_family);
+- seteuid(0);
++ if (seteuid(0) < 0)
++ fatal("Failed to seteuid");
+ if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid))
++ fatal("Failed to seteuid");
+ goto pasv_error;
+ }
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ len = sizeof(pasv_addr_ss);
+ if (getsockname(pdata, pasv_addr, &len) < 0)
+ goto pasv_error;
+diff -u -r heimdal-0.7.2/appl/rcp/rcp.c heimdal-0.7.2-setuid/appl/rcp/rcp.c
+--- heimdal-0.7.2/appl/rcp/rcp.c 2005-05-11 13:04:30.000000000 +0200
++++ heimdal-0.7.2-setuid/appl/rcp/rcp.c 2006-08-31 14:49:15.000000000 +0200
+@@ -119,13 +119,15 @@
+
+ if (fflag) { /* Follow "protocol", send data. */
+ response();
+- setuid(userid);
++ if (setuid(userid) < 0)
++ errx(1, "setuid failed");
+ source(argc, argv);
+ exit(errs);
+ }
+
+ if (tflag) { /* Receive data. */
+- setuid(userid);
++ if (setuid(userid) < 0)
++ errx(1, "setuid failed");
+ sink(argc, argv);
+ exit(errs);
+ }
+@@ -221,7 +223,8 @@
+ if (response() < 0)
+ exit(1);
+ free(bp);
+- setuid(userid);
++ if (setuid(userid) < 0)
++ errx(1, "setuid failed");
+ }
+ source(1, argv+i);
+ }
+@@ -270,7 +273,8 @@
+ }
+ free(bp);
+ sink(1, argv + argc - 1);
+- seteuid(0);
++ if (seteuid(0) < 0)
++ exit(1);
+ close(remin);
+ remin = remout = -1;
+ }
+diff -u -r heimdal-0.7.2/appl/rcp/util.c heimdal-0.7.2-setuid/appl/rcp/util.c
+--- heimdal-0.7.2/appl/rcp/util.c 2005-04-18 09:52:58.000000000 +0200
++++ heimdal-0.7.2-setuid/appl/rcp/util.c 2006-08-31 14:49:15.000000000 +0200
+@@ -112,7 +112,8 @@
+ return (127);
+
+ case 0:
+- (void)setuid(userid);
++ if (setuid(userid) < 0)
++ _exit(127);
+ execl(_PATH_BSHELL, "sh", "-c", s, NULL);
+ _exit(127);
+ }
+diff -u -r heimdal-0.7.2/lib/roken/iruserok.c heimdal-0.7.2-setuid/lib/roken/iruserok.c
+--- heimdal-0.7.2/lib/roken/iruserok.c 2005-04-12 13:28:54.000000000 +0200
++++ heimdal-0.7.2-setuid/lib/roken/iruserok.c 2006-08-31 14:49:15.000000000 +0200
+@@ -250,7 +250,8 @@
+ * are protected read/write owner only.
+ */
+ uid = geteuid();
+- seteuid(pwd->pw_uid);
++ if (seteuid(pwd->pw_uid) < 0)
++ return (-1);
+ hostf = fopen(pbuf, "r");
+ seteuid(uid);
+
================================================================
More information about the pld-cvs-commit
mailing list