Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 48784 Details for
Bug 78429
media-sound/playmidi: Local root vulnerability
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CAN-2005-0020.patch
CAN-2005-0020.patch (text/plain), 2.45 KB, created by
Luke Macken (RETIRED)
on 2005-01-17 14:55:57 UTC
(
hide
)
Description:
CAN-2005-0020.patch
Filename:
MIME Type:
Creator:
Luke Macken (RETIRED)
Created:
2005-01-17 14:55:57 UTC
Size:
2.45 KB
patch
obsolete
>--- playmidi.c.orig 2005-01-17 17:43:20.578060936 -0500 >+++ playmidi.c 2005-01-17 17:48:55.022217696 -0500 >@@ -22,6 +22,7 @@ > #include <ctype.h> > #include <unistd.h> > #include <sys/stat.h> >+#include <errno.h> > #include "playmidi.h" > > SEQ_DEFINEBUF(SEQUENCERBLOCKSIZE); >@@ -186,6 +187,15 @@ > struct stat info; > int piped = 0; > >+ /* CPhipps 2000/02/04 - this might be splaymidi, in which case we're >+ * probably setuid root. Drop privs immediately.. io_svgalib.c can >+ * regain them */ >+ if (getuid() != geteuid()) >+ if (seteuid(getuid())) { >+ perror("seteuid"); >+ exit(EPERM); /* Seems appropriate */ >+ } >+ > printf("%s Copyright (C) 1994-1997 Nathan I. Laredo," > " AWE32 by Takashi Iwai\n" > "This is free software with ABSOLUTELY NO WARRANTY.\n" >@@ -439,9 +449,9 @@ > for (i = optind; i < argc;) { > filename = argv[i]; > if (stat(filename, &info) == -1) { >- if ((extra = malloc(strlen(filename) + 4)) == NULL) >+ if ((extra = malloc(strlen(filename) + 5)) == NULL) > close_show(-1); >- sprintf(extra, "%s.mid", filename); >+ snprintf(extra, sizeof(extra), "%s.mid", filename); > if (stat(extra, &info) == -1) > close_show(-1); > if ((mfd = fopen(extra, "r")) == NULL) >@@ -452,7 +462,7 @@ > if (ext && strcmp(ext, ".gz") == 0) { > char temp[1024]; > piped = 1; >- sprintf(temp, "gzip -l %s", filename); >+ snprintf(temp, sizeof(temp), "gzip -l %s", filename); > if ((mfd = popen(temp, "r")) == NULL) > close_show(-1); > fgets(temp, sizeof(temp), mfd); /* skip 1st line */ >@@ -460,7 +470,7 @@ > strtok(temp, " "); /* compressed size */ > info.st_size = atoi(strtok(NULL, " ")); /* original size */ > pclose(mfd); >- sprintf(temp, "gzip -d -c %s", filename); >+ snprintf(temp, sizeof(temp), "gzip -d -c %s", filename); > if ((mfd = popen(temp, "r")) == NULL) > close_show(-1); > } else if ((mfd = fopen(filename, "r")) == NULL) >--- io_svgalib.c.orig 2005-01-17 17:49:55.758984304 -0500 >+++ io_svgalib.c 2005-01-17 17:49:59.310444400 -0500 >@@ -259,6 +259,10 @@ > tcgetattr(mytty, &newtty); > newtty.c_lflag &= ~(ICANON | ECHO | ICRNL | ISIG); > tcsetattr(mytty, TCSANOW, &newtty); >+ /* CPhipps 2000/02/04 - restore euid root in order to start SVGALib. >+ * We don't have to worry about errors, or dropping priv's afterwards, >+ * SVGALib handles that safely for us. */ >+ seteuid(0); > vga_init(); > if ((vgamode = vga_getdefaultmode()) == -1) > vgamode = G640x480x256;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=48784">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 78429
: 48784
