SOURCES: syslog-ng-fixes.patch - don't allow to use pipe() on regular files...

arekm arekm at pld-linux.org
Thu Feb 5 11:34:29 CET 2009 

Author: arekm                        Date: Thu Feb  5 10:34:29 2009 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- don't allow to use pipe() on regular files and file() on fifos

---- Files affected:
SOURCES:
   syslog-ng-fixes.patch (1.3 -> 1.4) 

---- Diffs:

================================================================
Index: SOURCES/syslog-ng-fixes.patch
diff -u SOURCES/syslog-ng-fixes.patch:1.3 SOURCES/syslog-ng-fixes.patch:1.4
--- SOURCES/syslog-ng-fixes.patch:1.3	Sun Feb  1 21:09:40 2009
+++ SOURCES/syslog-ng-fixes.patch	Thu Feb  5 11:34:23 2009
@@ -107,3 +107,57 @@
              {
                msg_trace("log_reader_fd_check file moved eof",
                          evt_tag_int("pos", pos),
+commit 8ad0edb1e4198bbf657708d07360bbac8b30b55a
+Author: Balazs Scheidler <bazsi at balabit.hu>
+Date:   Thu Feb 5 11:26:18 2009 +0100
+
+    [affile] validate file type before opening
+    
+    report an error if a file is opened using the pipe() driver, OR a
+    fifo is opened using the file() driver. named pipes should really be
+    driven by the pipe() driver.
+
+diff --git a/src/affile.c b/src/affile.c
+index f9264a7..e582a5d 100644
+--- a/src/affile.c
++++ b/src/affile.c
+@@ -45,6 +45,7 @@ affile_open_file(gchar *name, gint flags,
+                  gboolean create_dirs, gboolean privileged, gboolean is_pipe, gint *fd)
+ {
+   cap_t saved_caps;
++  struct stat st;
+ 
+   if (strstr(name, "../") || strstr(name, "/..")) 
+     {
+@@ -63,6 +64,23 @@ affile_open_file(gchar *name, gint flags,
+       g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);
+       g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
+     }
++  if (stat(name, &st) >= 0)
++    {
++      if (is_pipe && !S_ISFIFO(st.st_mode))
++        {
++          msg_error("Error opening pipe, underlying file is not a FIFO, it should be used by file()",
++                    evt_tag_str("filename", name),
++                    NULL);
++          goto exit;
++        }
++      else if (!is_pipe && S_ISFIFO(st.st_mode))
++        {
++          msg_error("Error opening file, underlying file is a FIFO, it should be used by pipe()",
++                    evt_tag_str("filename", name),
++                    NULL);
++          goto exit;
++        }
++    }
+   *fd = open(name, flags, mode);
+   if (is_pipe && *fd < 0 && errno == ENOENT)
+     {
+@@ -82,6 +100,7 @@ affile_open_file(gchar *name, gint flags,
+       if (mode != -1)
+         fchmod(*fd, mode);
+     }
++ exit:
+   if (privileged)
+     {
+       g_process_cap_restore(saved_caps);
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/syslog-ng-fixes.patch?r1=1.3&r2=1.4&f=u

More information about the pld-cvs-commit mailing list