Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 101596 Details for
Bug 153495
sys-cluster/openpbs possible multiple issues (CVE-2006-5616)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
OpenPBS_2_3_16-security.diff
OpenPBS_2_3_16-security.diff (text/plain), 4.34 KB, created by
Matt Drew (RETIRED)
on 2006-11-10 05:17:16 UTC
(
hide
)
Description:
OpenPBS_2_3_16-security.diff
Filename:
MIME Type:
Creator:
Matt Drew (RETIRED)
Created:
2006-11-10 05:17:16 UTC
Size:
4.34 KB
patch
obsolete
>diff -Ebru OpenPBS_2_3_16/src/iff/iff2.c OpenPBS_2_3_16.patched/src/iff/iff2.c >--- OpenPBS_2_3_16/src/iff/iff2.c 2001-12-05 01:38:08.000000000 +0100 >+++ OpenPBS_2_3_16.patched/src/iff/iff2.c 2006-09-27 16:01:28.000000000 +0200 >@@ -106,6 +106,14 @@ > > static char ident[] = "@(#) $RCSfile: iff2.c,v $ $Revision: 2.2.10.8 $"; > >+#define _GNU_SOURCE >+#include <unistd.h> >+ >+// we are lazy and do not check for errors here :( >+uid_t __euid; >+#define DROPEUID __euid = geteuid(); setresuid(getuid(), getuid(), geteuid()) >+#define RESTOREEUID setresuid(getuid(), __euid, getuid()) >+ > int pbs_errno; > struct connect_handle connection[NCONNECTS]; > >@@ -135,6 +143,8 @@ > extern int optind; > extern char *optarg; > >+ DROPEUID; >+ > /* Need to unset LOCALDOMAIN if set, want local host name */ > > for (i=0; envp[i]; ++i) { >@@ -176,12 +186,15 @@ > if ((servport = atoi(argv[++optind])) <= 0) > return (1); > >+ RESTOREEUID; // we need a reserved port here > for (i=0; i<10; i++) { > sock = client_to_svr(hostaddr, (unsigned int)servport, 1); > if (sock != PBS_NET_RC_RETRY) > break; > sleep(1); > } >+ DROPEUID; >+ > if (sock < 0) { > fprintf(stderr, "pbs_iff: cannot connect to host\n"); > return (4); >Nur in OpenPBS_2_3_16.patched/src/iff: iff2.c~. >diff -Ebru OpenPBS_2_3_16/src/mom_rcp/rcp.c OpenPBS_2_3_16.patched/src/mom_rcp/rcp.c >--- OpenPBS_2_3_16/src/mom_rcp/rcp.c 1998-10-15 01:09:08.000000000 +0200 >+++ OpenPBS_2_3_16.patched/src/mom_rcp/rcp.c 2006-09-27 15:06:30.000000000 +0200 >@@ -135,7 +135,8 @@ > #ifdef KERBEROS > case 'k': > dest_realm = dst_realm_buf; >- (void)strncpy(dst_realm_buf, optarg, REALM_SZ); >+ memset(dst_realm_buf, 0, REALM_SZ); >+ (void)strncpy(dst_realm_buf, optarg, REALM_SZ-1); > break; > #ifdef CRYPT > case 'x': >@@ -197,13 +198,15 @@ > > if (fflag) { /* Follow "protocol", send data. */ > (void)response(); >- (void)setuid(userid); >+ if(setuid(userid) != 0) >+ errx(1, "can't change to uid %d", (int)userid); > source(argc, argv); > exit(errs); > } > > if (tflag) { /* Receive data. */ >- (void)setuid(userid); >+ if(setuid(userid) != 0) >+ errx(1, "can't change to uid %d", (int)userid); > sink(argc, argv); > exit(errs); > } >@@ -637,6 +640,9 @@ > > for (size = 0; isdigit(*cp);) > size = size * 10 + (*cp++ - '0'); >+ if(size < 0) // integer overflow, more can happen in the loop but lets avoid testing for the sake of performance >+ SCREWUP("size becomes too big and swapped"); >+ > if (*cp++ != ' ') > SCREWUP("size not delimited"); > if (targisdir) { >@@ -644,12 +650,12 @@ > static int cursize; > size_t need; > >- need = strlen(targ) + strlen(cp) + 250; >+ need = strlen(targ) + strlen(cp) + 250; // b/c this might overflow (very unlikely) we use sNprintf() later > if (need > cursize) { >- if (!(namebuf = malloc(need))) >+ if (!(namebuf = malloc(need))) // will not set a limit here > run_err("%s", strerror(errno)); > } >- (void)sprintf(namebuf, "%s%s%s", targ, >+ (void)snprintf(namebuf, need, "%s%s%s", targ, > *targ ? "/" : "", cp); > np = namebuf; > } else >@@ -818,6 +824,8 @@ > { > char ch, *cp, resp, rbuf[BUFSIZ]; > >+ memset(rbuf, 0, BUFSIZ); >+ > if (read(rem, &resp, sizeof(resp)) != sizeof(resp)) > lostconn(0); > >@@ -834,7 +842,7 @@ > if (read(rem, &ch, sizeof(ch)) != sizeof(ch)) > lostconn(0); > *cp++ = ch; >- } while (cp < &rbuf[BUFSIZ] && ch != '\n'); >+ } while (cp < &rbuf[BUFSIZ-1] && ch != '\n'); > > if (!iamremote) > (void)write(STDERR_FILENO, rbuf, cp - rbuf); >diff -Ebru OpenPBS_2_3_16/src/mom_rcp/util.c OpenPBS_2_3_16.patched/src/mom_rcp/util.c >--- OpenPBS_2_3_16/src/mom_rcp/util.c 1998-10-15 01:09:13.000000000 +0200 >+++ OpenPBS_2_3_16.patched/src/mom_rcp/util.c 2006-09-27 14:52:38.000000000 +0200 >@@ -120,7 +120,11 @@ > return (127); > > case 0: >- (void)setuid(userid); >+ if(setuid(userid) != 0) >+ { >+ run_err("setuid(%u): %s", userid, strerror(errno)); >+ _exit(127); >+ } > execl(_PATH_BSHELL, "sh", "-c", s, NULL); > _exit(127); > } >@@ -129,6 +133,8 @@ > return (status); > } > >+// arbitrary limit >+#define UPPERLIMIT 2^20 > BUF * > allocbuf(bp, fd, blksize) > BUF *bp; >@@ -141,6 +147,12 @@ > run_err("fstat: %s", strerror(errno)); > return (0); > } >+ >+ if(blksize <= 0 || blksize > UPPERLIMIT) >+ { >+ run_err("blksize value is ivalid (either <= 0 or > %u)\n", UPPERLIMIT); >+ return 0; >+ } > size = (((int)stb.st_blksize + blksize - 1) / blksize) * blksize; > if (size == 0) > size = blksize;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 153495
: 101596