pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/heimdal Security fix for SA21436:
details: https://anonhg.NetBSD.org/pkgsrc/rev/598381f20046
branches: trunk
changeset: 517364:598381f20046
user: salo <salo%pkgsrc.org@localhost>
date: Wed Aug 09 17:58:09 2006 +0000
description:
Security fix for SA21436:
"A security issue has been reported in Heimdal, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.
The security issue is caused due to missing checks for whether the
"setuid()" call has succeeded in the bundled rcp application. This may
be exploited to perform certain actions with root privileges if the
"setuid()" call fails due to e.g. resource limits."
http://secunia.com/advisories/21436/
http://www.pdc.kth.se/heimdal/advisory/2006-08-08/
Bump PKGREVISION.
diffstat:
security/heimdal/Makefile | 4 +-
security/heimdal/distinfo | 7 +-
security/heimdal/patches/patch-am | 25 ++++++
security/heimdal/patches/patch-an | 145 ++++++++++++++++++++++++++++++++++++++
security/heimdal/patches/patch-ao | 44 +++++++++++
security/heimdal/patches/patch-ap | 16 ++++
security/heimdal/patches/patch-aq | 16 ++++
7 files changed, 254 insertions(+), 3 deletions(-)
diffs (297 lines):
diff -r 33c8996ed8a1 -r 598381f20046 security/heimdal/Makefile
--- a/security/heimdal/Makefile Wed Aug 09 17:55:51 2006 +0000
+++ b/security/heimdal/Makefile Wed Aug 09 17:58:09 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.61 2006/07/05 04:39:14 jlam Exp $
+# $NetBSD: Makefile,v 1.62 2006/08/09 17:58:09 salo Exp $
DISTNAME= heimdal-0.7.2
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= security
MASTER_SITES= ftp://ftp.pdc.kth.se/pub/heimdal/src/ \
ftp://ftp.sunet.se/pub/unix/admin/mirror-pdc/heimdal/src/
diff -r 33c8996ed8a1 -r 598381f20046 security/heimdal/distinfo
--- a/security/heimdal/distinfo Wed Aug 09 17:55:51 2006 +0000
+++ b/security/heimdal/distinfo Wed Aug 09 17:58:09 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2006/07/05 04:39:14 jlam Exp $
+$NetBSD: distinfo,v 1.21 2006/08/09 17:58:09 salo Exp $
SHA1 (heimdal-0.7.2.tar.gz) = a902e6ad7c31d940b588dc0235b348936f0d719d
RMD160 (heimdal-0.7.2.tar.gz) = 0f028a9d5a6a66e8efc0397e4d8c8adc2183b409
@@ -6,3 +6,8 @@
SHA1 (patch-ac) = 313c0a1f91e4f9546ae906f981adae0d499dd9cf
SHA1 (patch-ad) = a7cfc038e76f8c3da38f8eb0ee48a7f8c7a9c7df
SHA1 (patch-al) = 6035ef920b1a005902ae021b307fc4c3efc77449
+SHA1 (patch-am) = 538c0c3bb8806bdd3691d490ea4ceafc7acc0ca7
+SHA1 (patch-an) = 2f414a50520a345f3c875220d2b001516933fbac
+SHA1 (patch-ao) = 7401ad7a47ed8541663193f71bd52feafeeeb045
+SHA1 (patch-ap) = 4c28d64ecf1c55d7eb02d0be1cf3efeff81339c6
+SHA1 (patch-aq) = 3ac32c49d5880813998b5bfe8c474fbb87218cba
diff -r 33c8996ed8a1 -r 598381f20046 security/heimdal/patches/patch-am
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/heimdal/patches/patch-am Wed Aug 09 17:58:09 2006 +0000
@@ -0,0 +1,25 @@
+$NetBSD: patch-am,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- appl/dceutils/k5dcecon.c.orig 2002-08-09 15:19:41.000000000 +0200
++++ appl/dceutils/k5dcecon.c 2006-08-09 19:42:15.000000000 +0200
+@@ -71,7 +71,7 @@
+ #endif
+
+ #ifdef __hpux
+-#define seteuid(A) setresuid(-1,A,-1);
++#define seteuid(A) setresuid(-1,A,-1)
+ #endif
+
+
+@@ -549,7 +549,8 @@ int k5dcecreate(luid, luser, pname, krbt
+ */
+
+ if (uid == 0) {
+- seteuid(luid);
++ if (seteuid(luid) < 0)
++ goto abort;
+ }
+
+ cp = strchr(pname,'@');
diff -r 33c8996ed8a1 -r 598381f20046 security/heimdal/patches/patch-an
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/heimdal/patches/patch-an Wed Aug 09 17:58:09 2006 +0000
@@ -0,0 +1,145 @@
+$NetBSD: patch-an,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- appl/ftp/ftpd/ftpd.c.orig 2005-06-02 12:41:28.000000000 +0200
++++ appl/ftp/ftpd/ftpd.c 2006-08-09 19:42:15.000000000 +0200
+@@ -138,9 +138,9 @@ static int handleoobcmd(void);
+ static int checkuser (char *, char *);
+ static int checkaccess (char *);
+ static FILE *dataconn (const char *, off_t, const char *);
+-static void dolog (struct sockaddr *sa, int len);
++static void dolog (struct sockaddr *, int);
+ static void end_login (void);
+-static FILE *getdatasock (const char *);
++static FILE *getdatasock (const char *, int);
+ static char *gunique (char *);
+ static RETSIGTYPE lostconn (int);
+ static int receive_data (FILE *, FILE *);
+@@ -835,7 +835,8 @@ static void
+ end_login(void)
+ {
+
+- seteuid((uid_t)0);
++ if (seteuid((uid_t)0) < 0)
++ fatal("Failed to seteuid");
+ if (logged_in)
+ ftpd_logwtmp(ttyline, "", "");
+ pw = NULL;
+@@ -1208,14 +1209,15 @@ done:
+ }
+
+ static FILE *
+-getdatasock(const char *mode)
++getdatasock(const char *mode, int domain)
+ {
+ int s, t, tries;
+
+ if (data >= 0)
+ return (fdopen(data, mode));
+- seteuid(0);
+- s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
++ if (seteuid(0) < 0)
++ fatal("Failed to seteuid");
++ s = socket(domain, SOCK_STREAM, 0);
+ if (s < 0)
+ goto bad;
+ socket_set_reuseaddr (s, 1);
+@@ -1232,7 +1234,8 @@ getdatasock(const char *mode)
+ goto bad;
+ sleep(tries);
+ }
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ #ifdef IPTOS_THROUGHPUT
+ socket_set_tos (s, IPTOS_THROUGHPUT);
+ #endif
+@@ -1240,7 +1243,8 @@ getdatasock(const char *mode)
+ bad:
+ /* Return the real value of errno (close may change it) */
+ t = errno;
+- seteuid((uid_t)pw->pw_uid);
++ if (seteuid((uid_t)pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ close(s);
+ errno = t;
+ return (NULL);
+@@ -1271,7 +1275,7 @@ dataconn(const char *name, off_t size, c
+ {
+ char sizebuf[32];
+ FILE *file;
+- int retry = 0;
++ int domain, retry = 0;
+
+ file_size = size;
+ byte_count = 0;
+@@ -1318,7 +1322,15 @@ dataconn(const char *name, off_t size, c
+ if (usedefault)
+ data_dest = his_addr;
+ usedefault = 1;
+- file = getdatasock(mode);
++ /*
++ * Default to using the same socket type as the ctrl address,
++ * unless we know the type of the data address.
++ */
++ domain = data_dest->sa_family;
++ if (domain == PF_UNSPEC)
++ domain = ctrl_addr->sa_family;
++
++ file = getdatasock(mode, domain);
+ if (file == NULL) {
+ char data_addr[256];
+
+@@ -1889,11 +1901,11 @@ dologout(int status)
+ transflag = 0;
+ urgflag = 0;
+ if (logged_in) {
+- seteuid((uid_t)0);
+- ftpd_logwtmp(ttyline, "", "");
+ #ifdef KRB4
+ cond_kdestroy();
+ #endif
++ seteuid((uid_t)0); /* No need to check, we call exit() below */
++ ftpd_logwtmp(ttyline, "", "");
+ }
+ /* beware of flushing buffers after a SIGPIPE */
+ #ifdef XXX
+@@ -2006,12 +2018,15 @@ pasv(void)
+ 0);
+ socket_set_portrange(pdata, restricted_data_ports,
+ pasv_addr->sa_family);
+- seteuid(0);
++ if (seteuid(0) < 0)
++ fatal("Failed to seteuid");
+ if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ goto pasv_error;
+ }
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ len = sizeof(pasv_addr_ss);
+ if (getsockname(pdata, pasv_addr, &len) < 0)
+ goto pasv_error;
+@@ -2050,12 +2065,15 @@ epsv(char *proto)
+ 0);
+ socket_set_portrange(pdata, restricted_data_ports,
+ pasv_addr->sa_family);
+- seteuid(0);
++ if (seteuid(0) < 0)
++ fatal("Failed to seteuid");
+ if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid))
++ fatal("Failed to seteuid");
+ goto pasv_error;
+ }
+- seteuid(pw->pw_uid);
++ if (seteuid(pw->pw_uid) < 0)
++ fatal("Failed to seteuid");
+ len = sizeof(pasv_addr_ss);
+ if (getsockname(pdata, pasv_addr, &len) < 0)
+ goto pasv_error;
diff -r 33c8996ed8a1 -r 598381f20046 security/heimdal/patches/patch-ao
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/heimdal/patches/patch-ao Wed Aug 09 17:58:09 2006 +0000
@@ -0,0 +1,44 @@
+$NetBSD: patch-ao,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- appl/rcp/rcp.c.orig 2005-05-11 13:04:30.000000000 +0200
++++ appl/rcp/rcp.c 2006-08-09 19:42:15.000000000 +0200
+@@ -119,13 +119,15 @@ main(int argc, char **argv)
+
+ if (fflag) { /* Follow "protocol", send data. */
+ response();
+- setuid(userid);
++ if (setuid(userid) < 0)
++ errx(1, "setuid failed");
+ source(argc, argv);
+ exit(errs);
+ }
+
+ if (tflag) { /* Receive data. */
+- setuid(userid);
++ if (setuid(userid) < 0)
++ errx(1, "setuid failed");
+ sink(argc, argv);
+ exit(errs);
+ }
+@@ -221,7 +223,8 @@ toremote(char *targ, int argc, char **ar
+ if (response() < 0)
+ exit(1);
+ free(bp);
+- setuid(userid);
++ if (setuid(userid) < 0)
++ errx(1, "setuid failed");
+ }
+ source(1, argv+i);
+ }
+@@ -270,7 +273,8 @@ tolocal(int argc, char **argv)
+ }
+ free(bp);
+ sink(1, argv + argc - 1);
+- seteuid(0);
++ if (seteuid(0) < 0)
++ exit(1);
+ close(remin);
+ remin = remout = -1;
+ }
diff -r 33c8996ed8a1 -r 598381f20046 security/heimdal/patches/patch-ap
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/heimdal/patches/patch-ap Wed Aug 09 17:58:09 2006 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-ap,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- appl/rcp/util.c.orig 2005-04-18 09:52:58.000000000 +0200
++++ appl/rcp/util.c 2006-08-09 19:42:15.000000000 +0200
+@@ -112,7 +112,8 @@ susystem(s, userid)
+ return (127);
+
+ case 0:
+- (void)setuid(userid);
++ if (setuid(userid) < 0)
++ _exit(127);
+ execl(_PATH_BSHELL, "sh", "-c", s, NULL);
+ _exit(127);
+ }
diff -r 33c8996ed8a1 -r 598381f20046 security/heimdal/patches/patch-aq
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/heimdal/patches/patch-aq Wed Aug 09 17:58:09 2006 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-aq,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- lib/roken/iruserok.c.orig 2005-04-12 13:28:54.000000000 +0200
++++ lib/roken/iruserok.c 2006-08-09 19:42:15.000000000 +0200
+@@ -250,7 +250,8 @@ again:
+ * are protected read/write owner only.
+ */
+ uid = geteuid();
+- seteuid(pwd->pw_uid);
++ if (seteuid(pwd->pw_uid) < 0)
++ return (-1);
+ hostf = fopen(pbuf, "r");
+ seteuid(uid);
+
Home |
Main Index |
Thread Index |
Old Index