ports/148099: [INFO] patch available for emacs movemail vulnerability.
Kazuo Dohzono
dohzono at axion-software.com
Thu Jun 24 02:20:02 UTC 2010
>Number: 148099
>Category: ports
>Synopsis: [INFO] patch available for emacs movemail vulnerability.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 24 02:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Kazuo Dohzono
>Release: 8.0-RELEASE
>Organization:
Axion Software Inc.
>Environment:
>Description:
portaudit -aF reports a vulnerability below:
| Affected package: emacs-22.3_4,1
| Type of problem: emacs -- movemail symlink race condition.
| Reference: <http://portaudit.FreeBSD.org/f6b6beaa-4e0e-11df-83fb-0015587e2cc1.html>
and there seems to be a patch here.
http://launchpadlibrarian.net/41882940/movemail.patch
discusses at here.
https://bugs.launchpad.net/ubuntu/+bug/531569
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
--- emacs22-22.2/lib-src/movemail.c.orig 2010-03-03 16:44:40.000000000 -0500
+++ emacs22-22.2/lib-src/movemail.c 2010-03-24 18:07:49.000000000 -0400
@@ -177,6 +177,10 @@
int nread;
WAITTYPE status;
int c, preserve_mail = 0;
+ uid_t real_gid, priv_gid;
+
+ real_gid = getgid();
+ priv_gid = getegid();
#ifndef MAIL_USE_SYSTEM_LOCK
struct stat st;
@@ -248,25 +252,6 @@
if (*outname == 0)
fatal ("Destination file name is empty", 0, 0);
- /* Check access to output file. */
- if (access (outname, F_OK) == 0 && access (outname, W_OK) != 0)
- pfatal_with_name (outname);
-
- /* Also check that outname's directory is writable to the real uid. */
- {
- char *buf = (char *) xmalloc (strlen (outname) + 1);
- char *p;
- strcpy (buf, outname);
- p = buf + strlen (buf);
- while (p > buf && !IS_DIRECTORY_SEP (p[-1]))
- *--p = 0;
- if (p == buf)
- *p++ = '.';
- if (access (buf, W_OK) != 0)
- pfatal_with_name (buf);
- free (buf);
- }
-
#ifdef MAIL_USE_POP
if (!strncmp (inname, "po:", 3))
{
@@ -278,15 +263,12 @@
exit (status);
}
- setuid (getuid ());
+ if ( setuid (getuid ()) < 0 )
+ fatal ("Failed to drop privileges", 0, 0);
+
#endif /* MAIL_USE_POP */
#ifndef DISABLE_DIRECT_ACCESS
-
- /* Check access to input file. */
- if (access (inname, R_OK | W_OK) != 0)
- pfatal_with_name (inname);
-
#ifndef MAIL_USE_MMDF
#ifndef MAIL_USE_SYSTEM_LOCK
#ifdef MAIL_USE_MAILLOCK
@@ -373,7 +355,8 @@
long touched_lock, now;
#endif
- setuid (getuid ());
+ if ( setuid (getuid ()) < 0 || setegid (real_gid) < 0 )
+ fatal("Failed to drop privileges", 0, 0);
#ifndef MAIL_USE_MMDF
#ifdef MAIL_USE_SYSTEM_LOCK
@@ -399,6 +382,9 @@
if (outdesc < 0)
pfatal_with_name (outname);
+ if ( setegid(priv_gid) < 0 )
+ fatal("Failed to regain privileges", 0, 0);
+
/* This label exists so we can retry locking
after a delay, if it got EAGAIN or EBUSY. */
retry_lock:
@@ -499,6 +485,10 @@
/* Check to make sure no errors before we zap the inbox. */
if (close (outdesc) != 0)
pfatal_and_delete (outname);
+
+ /* Prevent symlink attacks truncating other users' mailboxes */
+ if ( setegid (real_gid) < 0 )
+ fatal("Failed to drop privileges", 0, 0);
#ifdef MAIL_USE_SYSTEM_LOCK
if (! preserve_mail)
@@ -506,7 +496,12 @@
#if defined (STRIDE) || defined (XENIX)
/* Stride, xenix have file locking, but no ftruncate.
This mess will do. */
- close (open (inname, O_CREAT | O_TRUNC | O_RDWR, 0666));
+ int indesc2 = open (inname, O_CREAT | O_TRUNC | O_RDWR, 0666);
+ if ( indesc2 < 0 )
+ pfatal_with_name (inname)
+
+ close (indesc2);
+
#else
ftruncate (indesc, 0L);
#endif /* STRIDE or XENIX */
@@ -532,6 +527,10 @@
creat (inname, 0600);
}
#endif /* not MAIL_USE_SYSTEM_LOCK */
+
+ /* End of mailbox truncation */
+ if ( setegid(priv_gid) < 0 )
+ fatal("Failed to regain privileges", 0, 0);
#ifdef MAIL_USE_MAILLOCK
/* This has to occur in the child, i.e., in the process that
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list