Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 150638 Details for
Bug 218933
kde-base/kdelibs <3.5.8-r4 start_kdeinit multiple vulnerabilities (CVE-2008-1671)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for KDE 3.5.5 - KDE 3.5.9
post-kde-3.5.5-kinit.diff (text/plain), 3.87 KB, created by
Matthias Geerdsen (RETIRED)
on 2008-04-22 19:35:33 UTC
(
hide
)
Description:
patch for KDE 3.5.5 - KDE 3.5.9
Filename:
MIME Type:
Creator:
Matthias Geerdsen (RETIRED)
Created:
2008-04-22 19:35:33 UTC
Size:
3.87 KB
patch
obsolete
>--- kinit/start_kdeinit.c >+++ kinit/start_kdeinit.c >@@ -37,9 +37,10 @@ > not have this protection, kdeinit will after forking send the new > PID using the pipe and wait for a signal. This parent will reset the protection > and SIGUSR1 the process to continue. >+ returns 1 if pid is valid > */ > >-static void set_protection( pid_t pid, int enable ) >+static int set_protection( pid_t pid, int enable ) > { > char buf[ 1024 ]; > int procfile; >@@ -49,7 +50,7 @@ static void set_protection( pid_t pid, i > belongs to this user. */ > struct stat st; > if( lstat( buf, &st ) < 0 || st.st_uid != getuid()) >- return; >+ return 0; > } > procfile = open( buf, O_WRONLY ); > if( procfile >= 0 ) { >@@ -59,6 +60,7 @@ static void set_protection( pid_t pid, i > write( procfile, "0", sizeof( "0" )); > close( procfile ); > } >+ return 1; > } > > int main(int argc, char **argv) >@@ -67,14 +69,14 @@ int main(int argc, char **argv) > int new_argc; > const char** new_argv; > char helper_num[ 1024 ]; >- int i; >+ unsigned i; > char** orig_environ = NULL; > char header[ 7 ]; > if( pipe( pipes ) < 0 ) { > perror( "pipe()" ); > return 1; > } >- if( argc > 1000 ) >+ if( argc < 0 || argc > 1000 ) > abort(); /* paranoid */ > set_protection( getpid(), 1 ); > switch( fork()) { >@@ -82,29 +84,30 @@ int main(int argc, char **argv) > perror( "fork()" ); > return 1; > default: /* parent, drop privileges and exec */ >-#if defined (HAVE_SETEUID) && !defined (HAVE_SETEUID_FAKE) >- seteuid(getuid()); >-#else >- setreuid(-1, getuid()); >-#endif >- if (geteuid() != getuid()) { >+ if (setgid(getgid())) { >+ perror("setgid()"); >+ return 1; >+ } >+ if (setuid(getuid()) || geteuid() != getuid()) { > perror("setuid()"); > return 1; > } > close( pipes[ 0 ] ); > /* read original environment passed by start_kdeinit_wrapper */ > if( read( 0, header, 7 ) == 7 && strncmp( header, "environ", 7 ) == 0 ) { >- int count; >- if( read( 0, &count, sizeof( int )) == sizeof( int )) { >+ unsigned count; >+ if( read( 0, &count, sizeof( unsigned )) == sizeof( unsigned ) >+ && count && count < (1<<16)) { > char** env = malloc(( count + 1 ) * sizeof( char* )); > int ok = 1; > for( i = 0; > i < count && ok; > ++i ) { >- int len; >- if( read( 0, &len, sizeof( int )) == sizeof( int )) { >+ unsigned len; >+ if( read( 0, &len, sizeof( unsigned )) == sizeof( unsigned ) >+ && len && len < (1<<12)) { > env[ i ] = malloc( len + 1 ); >- if( read( 0, env[ i ], len ) == len ) { >+ if( (unsigned) read( 0, env[ i ], len ) == len ) { > env[ i ][ len ] = '\0'; > } else { > ok = 0; >@@ -128,7 +131,7 @@ int main(int argc, char **argv) > sprintf( helper_num, "%d", pipes[ 1 ] ); > new_argv[ 2 ] = helper_num; > for( i = 1; >- i <= argc; >+ i <= (unsigned) argc; > ++i ) > new_argv[ i + 2 ] = argv[ i ]; > if( orig_environ ) >@@ -145,10 +148,10 @@ int main(int argc, char **argv) > if( ret < 0 && errno == EINTR ) > continue; > if( ret <= 0 ) /* pipe closed or error, exit */ >- return 0; >+ _exit(0); > if( pid != 0 ) { >- set_protection( pid, 0 ); >- kill( pid, SIGUSR1 ); >+ if (set_protection( pid, 0 )) >+ kill( pid, SIGUSR1 ); > } > } > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 218933
: 150638 |
150693