rev 10233 - in trunk/packages/kdelibs/debian: . patches
Fathi Boudra
fabo at alioth.debian.org
Tue Apr 22 17:49:49 UTC 2008
Author: fabo
Date: 2008-04-22 17:49:48 +0000 (Tue, 22 Apr 2008)
New Revision: 10233
Added:
trunk/packages/kdelibs/debian/patches/03_start_kdeinit_integer_overflow.diff
Modified:
trunk/packages/kdelibs/debian/changelog
Log:
* Add 03_start_kdeinit_integer_overflow.diff patch to fix a security
advisory: start_kdeinit multiple vulnerabilities.
Modified: trunk/packages/kdelibs/debian/changelog
===================================================================
--- trunk/packages/kdelibs/debian/changelog 2008-04-22 13:00:53 UTC (rev 10232)
+++ trunk/packages/kdelibs/debian/changelog 2008-04-22 17:49:48 UTC (rev 10233)
@@ -1,3 +1,10 @@
+kdelibs (4:3.5.9.dfsg.1-3) UNRELEASED; urgency=low
+
+ * Add 03_start_kdeinit_integer_overflow.diff patch to fix a security
+ advisory: start_kdeinit multiple vulnerabilities.
+
+ -- Fathi Boudra <fabo at debian.org> Tue, 22 Apr 2008 19:44:01 +0200
+
kdelibs (4:3.5.9.dfsg.1-2) unstable; urgency=low
+++ Changes by Modestas Vainius:
Added: trunk/packages/kdelibs/debian/patches/03_start_kdeinit_integer_overflow.diff
===================================================================
--- trunk/packages/kdelibs/debian/patches/03_start_kdeinit_integer_overflow.diff (rev 0)
+++ trunk/packages/kdelibs/debian/patches/03_start_kdeinit_integer_overflow.diff 2008-04-22 17:49:48 UTC (rev 10233)
@@ -0,0 +1,117 @@
+If start_kdeinit is installed as setuid root, a local user
+might be able to send unix signals to other processes, cause
+a denial of service or even possibly execute arbitrary code.
+
+--- a/kinit/start_kdeinit.c
++++ b/kinit/start_kdeinit.c
+@@ -37,9 +37,10 @@
+ not have this protection, kdeinit will after forking send the new
+ PID using the pipe and wait for a signal. This parent will reset the protection
+ and SIGUSR1 the process to continue.
++ returns 1 if pid is valid
+ */
+
+-static void set_protection( pid_t pid, int enable )
++static int set_protection( pid_t pid, int enable )
+ {
+ char buf[ 1024 ];
+ int procfile;
+@@ -49,7 +50,7 @@
+ belongs to this user. */
+ struct stat st;
+ if( lstat( buf, &st ) < 0 || st.st_uid != getuid())
+- return;
++ return 0;
+ }
+ procfile = open( buf, O_WRONLY );
+ if( procfile >= 0 ) {
+@@ -59,6 +60,7 @@
+ write( procfile, "0", sizeof( "0" ));
+ close( procfile );
+ }
++ return 1;
+ }
+
+ int main(int argc, char **argv)
+@@ -67,14 +69,14 @@
+ int new_argc;
+ const char** new_argv;
+ char helper_num[ 1024 ];
+- int i;
++ unsigned i;
+ char** orig_environ = NULL;
+ char header[ 7 ];
+ if( pipe( pipes ) < 0 ) {
+ perror( "pipe()" );
+ return 1;
+ }
+- if( argc > 1000 )
++ if( argc < 0 || argc > 1000 )
+ abort(); /* paranoid */
+ set_protection( getpid(), 1 );
+ switch( fork()) {
+@@ -82,29 +84,30 @@
+ perror( "fork()" );
+ return 1;
+ default: /* parent, drop privileges and exec */
+-#if defined (HAVE_SETEUID) && !defined (HAVE_SETEUID_FAKE)
+- seteuid(getuid());
+-#else
+- setreuid(-1, getuid());
+-#endif
+- if (geteuid() != getuid()) {
++ if (setgid(getgid())) {
++ perror("setgid()");
++ return 1;
++ }
++ if (setuid(getuid()) || geteuid() != getuid()) {
+ perror("setuid()");
+ return 1;
+ }
+ close( pipes[ 0 ] );
+ /* read original environment passed by start_kdeinit_wrapper */
+ if( read( 0, header, 7 ) == 7 && strncmp( header, "environ", 7 ) == 0 ) {
+- int count;
+- if( read( 0, &count, sizeof( int )) == sizeof( int )) {
++ unsigned count;
++ if( read( 0, &count, sizeof( unsigned )) == sizeof( unsigned )
++ && count && count < (1<<16)) {
+ char** env = malloc(( count + 1 ) * sizeof( char* ));
+ int ok = 1;
+ for( i = 0;
+ i < count && ok;
+ ++i ) {
+- int len;
+- if( read( 0, &len, sizeof( int )) == sizeof( int )) {
++ unsigned len;
++ if( read( 0, &len, sizeof( unsigned )) == sizeof( unsigned )
++ && len && len < (1<<12)) {
+ env[ i ] = malloc( len + 1 );
+- if( read( 0, env[ i ], len ) == len ) {
++ if( (unsigned) read( 0, env[ i ], len ) == len ) {
+ env[ i ][ len ] = '\0';
+ } else {
+ ok = 0;
+@@ -128,7 +131,7 @@
+ sprintf( helper_num, "%d", pipes[ 1 ] );
+ new_argv[ 2 ] = helper_num;
+ for( i = 1;
+- i <= argc;
++ i <= (unsigned) argc;
+ ++i )
+ new_argv[ i + 2 ] = argv[ i ];
+ if( orig_environ )
+@@ -145,10 +148,10 @@
+ if( ret < 0 && errno == EINTR )
+ continue;
+ if( ret <= 0 ) /* pipe closed or error, exit */
+- return 0;
++ _exit(0);
+ if( pid != 0 ) {
+- set_protection( pid, 0 );
+- kill( pid, SIGUSR1 );
++ if (set_protection( pid, 0 ))
++ kill( pid, SIGUSR1 );
+ }
+ }
+ }
More information about the pkg-kde-commits
mailing list