Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 161331 Details for
Bug 232642
mail-mta/postfix Insufficient mailbox owner/symlink checks (CVE-2008-2936, CVE-2008-2937)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for privilege escalation via hardlinked symlinks
postfix-link.patch (text/plain), 2.31 KB, created by
Matthias Geerdsen (RETIRED)
on 2008-07-25 09:52:52 UTC
(
hide
)
Description:
patch for privilege escalation via hardlinked symlinks
Filename:
MIME Type:
Creator:
Matthias Geerdsen (RETIRED)
Created:
2008-07-25 09:52:52 UTC
Size:
2.31 KB
patch
obsolete
>*** src/util/safe_open.c.orig Sun Jun 4 19:04:49 2006 >--- src/util/safe_open.c Thu Jul 24 14:01:54 2008 >*************** >*** 83,88 **** >--- 83,89 ---- > #include <msg.h> > #include <vstream.h> > #include <vstring.h> >+ #include <stringops.h> > #include <safe_open.h> > > /* safe_open_exist - open existing file */ >*************** >*** 138,150 **** > * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks > * owned by a non-root user. This would open a security hole when > * delivering mail to a world-writable mailbox directory. > */ > else if (lstat(path, &lstat_st) < 0) { > vstring_sprintf(why, "file status changed unexpectedly: %m"); > errno = EPERM; > } else if (S_ISLNK(lstat_st.st_mode)) { >! if (lstat_st.st_uid == 0) >! return (fp); > vstring_sprintf(why, "file is a symbolic link"); > errno = EPERM; > } else if (fstat_st->st_dev != lstat_st.st_dev >--- 139,168 ---- > * for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks > * owned by a non-root user. This would open a security hole when > * delivering mail to a world-writable mailbox directory. >+ * >+ * The semantics of link(symlink, target) has changed over time. >+ * Traditionally, UNIX systems hardlink the target of the symlink. >+ * However, some systems hardlink the symlink itself. The latter behavior >+ * was introduced with Solaris 2.0, and with Linux kernel 2.0. Sebastian >+ * Krahmer of SuSE found that hardlinks to symlinks could be used to >+ * append mail for root to a sensitive file. For this reason, we not >+ * only require that a symlink is owned by root, but we now also require >+ * that its parent directory is writable only by root. > */ > else if (lstat(path, &lstat_st) < 0) { > vstring_sprintf(why, "file status changed unexpectedly: %m"); > errno = EPERM; > } else if (S_ISLNK(lstat_st.st_mode)) { >! if (lstat_st.st_uid == 0) { >! struct stat parent_st; >! const char *parent; >! >! parent = sane_dirname((VSTRING *) 0, path); >! if (stat(parent, &parent_st) == 0 /* real parent */ >! && parent_st.st_uid == 0 >! && (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0) >! return (fp); >! } > vstring_sprintf(why, "file is a symbolic link"); > errno = EPERM; > } else if (fstat_st->st_dev != lstat_st.st_dev
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=161331">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 232642
:
161331
|
161366
|
161368
|
161569
|
161570
|
161572
|
162101
|
162102
