Attachment 36210 Details for Bug 81521

[patch] patch for CAN 2005-1151

patch.CAN-2005-1151.qpopper (text/plain), 5.16 KB, created by Sebastian Krahmer on 2005-05-02 08:21:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sebastian Krahmer

Created: 2005-05-02 08:21:00 UTC

Size: 5.16 KB

patch

obsolete

>diff -u qpopper-4.0.4/debian/changelog qpopper-4.0.4/debian/changelog
>--- qpopper-4.0.4/debian/changelog
>+++ qpopper-4.0.4/debian/changelog
>@@ -1,3 +1,15 @@
>+qpopper (4.0.4-2.woody.5) stable-security; urgency=high
>+
>+  * Non-maintainer upload by the Security Team
>+  * Backported upstream patch to fix unauthorised file read access
>+    [popper/pop_config.c, CAN-2005-1151]
>+  * Backported upstream patch to fix unauthorised file write access
>+    [popper/popauth.c, CAN-2005-1151]
>+
>+ -- Martin Schulze <joey@infodrom.org>  Wed, 20 Apr 2005 20:27:57 +0200
>+
> qpopper (4.0.4-2.woody.4) stable-security; urgency=medium
> 
>   * Non-maintainer upload by the Security Team
>only in patch2:
>unchanged:
>--- qpopper-4.0.4.orig/popper/pop_config.c
>+++ qpopper-4.0.4/popper/pop_config.c
>@@ -85,6 +85,7 @@
> #include <string.h>
> #include <errno.h>
> #include <ctype.h>
>+#include <unistd.h>
> 
> #include "popper.h"
> #include "utils.h"
>@@ -1487,6 +1488,8 @@
>     int         rslt;
>     char        buf [ 256 ];
>     struct stat stat_buf;
>+    BOOL	bUser		= FALSE;
>+    BOOL	bSpool		= FALSE;
> 
> 
>     if ( p->bUser_opts ) {
>@@ -1497,14 +1500,8 @@
>                       p->user );
>         else {
>             rslt = stat ( buf, &stat_buf );
>-            if ( rslt == 0 ) {
>-                rslt = pop_config ( p, buf, CfgUser );
>-                if ( rslt == POP_FAILURE ) {
>-                    pop_log ( p, POP_PRIORITY, HERE,
>-                              "Unable to process user options file for user %s",
>-                              p->user );
>-                }
>-            }
>+            if ( rslt == 0 )
>+		bUser = TRUE;
>         }
>     } /* p->user_opts */
> 
>@@ -1517,16 +1514,46 @@
>                       p->user );
>         else {
>             rslt = stat ( buf, &stat_buf );
>-            if ( rslt == 0 ) {
>-                rslt = pop_config ( p, buf, CfgConnected );
>-                if ( rslt == POP_FAILURE ) {
>-                    pop_log ( p, POP_PRIORITY, HERE,
>-                              "Unable to process spool options file for user %s",
>-                              p->user );
>-                }
>-            }
>+            if ( rslt == 0 )
>+                bSpool = TRUE;
>         }
>     } /* p->spool_opts */
>+
>+    /*
>+     * If we are to process either, do it as the user, not root
>+     */
>+    if ( bUser || bSpool ) {
>+	UID_T uid_save = 0;
>+
>+        uid_save = geteuid();
>+        if ( seteuid ( pwp->pw_uid ) != 0 ) {
>+            rslt = POP_FAILURE; /* seteuid failed */
>+            pop_log ( p, POP_PRIORITY, HERE,
>+                      "seteuid(%i) for user %s failed",
>+                      pwp->pw_uid, p->user );
>+        } /* seteuid failed */
>+        else { /* we are now the user */
>+            if ( bUser ) {
>+                rslt = pop_config ( p, buf, CfgConnected );
>+		if ( rslt == POP_FAILURE )
>+			pop_log ( p, POP_PRIORITY, HERE,
>+				  "Unable to process user options file for user %s",
>+				  p->user );
>+	    }
>+
>+            if ( bSpool ) {
>+                rslt = pop_config ( p, buf, CfgConnected );
>+		if ( rslt == POP_FAILURE )
>+			pop_log ( p, POP_PRIORITY, HERE,
>+				  "Unable to process spool options file for user %s",
>+				  p->user );
>+	    }
>+
>+            if ( seteuid ( uid_save ) != 0 )
>+                pop_log ( p, POP_PRIORITY, HERE,
>+                          "seteuid(%i) back failed", uid_save );
>+        } /* we are now the user */
>+    } /* bUser || bSpool */
> }
> 
> 
>only in patch2:
>unchanged:
>--- qpopper-4.0.4.orig/popper/popauth.c
>+++ qpopper-4.0.4/popper/popauth.c
>@@ -107,6 +107,7 @@
> #include <fcntl.h>
> #include <errno.h>
> #include <string.h>
>+#include <unistd.h>
> 
> #ifndef HAVE_BCOPY
> #  define bcopy(src,dest,len) (void) (memcpy(dest,src,len))
>@@ -277,6 +278,7 @@
> static void         helpful ( void );
> static int          check_db_err ( void *db, const char *op, BOOL bExp );
> static const char  *printable ( const char *p, int len );
>+static void         open_trace ( char *fname );
> 
> 
> static void
>@@ -453,6 +455,30 @@
> }
> 
> 
>+void
>+open_trace ( char *tname )
>+{
>+    UID_T uid_save = -1;
>+    UID_T myuid    = -1;
>+
>+
>+    uid_save = geteuid();
>+    myuid = getuid();
>+    if ( seteuid ( myuid ) != 0 )
>+        adios ( HERE, "internal error @ %i", __LINE__ );
>+    
>+    trace_file = fopen ( tname, "a+" );
>+    if ( trace_file == NULL )
>+        adios ( HERE, "Unable to open trace file \"%s\": %s (%d)\n",
>+                tname, STRERROR(errno), errno );
>+    BLATHER1 ( "Trace and Debug destination is file \"%s\"",
>+               tname );
>+            
>+    if ( seteuid ( uid_save ) != 0 )
>+        adios ( HERE, "internal error @ %i", __LINE__ );
>+}
>+
>+
> #ifndef HAVE_STRDUP
> #include <stddef.h>
> 
>@@ -748,13 +775,7 @@
>                 helpful();
>             case TRACESW:
>                 debug++;
>-                trace_file = fopen ( argv[1], "a+" );
>-                if ( trace_file == NULL )
>-                    adios ( HERE, 
>-                            "Unable to open trace file \"%s\": %s (%d)\n",
>-                            argv[1], STRERROR(errno), errno );
>-                BLATHER1 ( "Trace and Debug destination is file \"%s\"",
>-                           argv[1] );
>+		open_trace ( argv[1] );
>                 argc--;
>                 argv++;
>                 break;

Actions: View | Diff

Attachments on bug 81521: 36210 | 36211 | 36216 | 36217