Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 224127 Details for
Bug 310049
<mail-filter/spamass-milter-0.3.1-r4: Remote Root Attack (CVE-2010-1132)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from http://savannah.nongnu.org/bugs/index.php?29136
popen.diff (text/plain), 5.96 KB, created by
Andrey Korolyov
on 2010-03-18 14:50:54 UTC
(
hide
)
Description:
patch from http://savannah.nongnu.org/bugs/index.php?29136
Filename:
MIME Type:
Creator:
Andrey Korolyov
Created:
2010-03-18 14:50:54 UTC
Size:
5.96 KB
patch
obsolete
>Index: spamass-milter.cpp >=================================================================== >RCS file: /cvsroot/spamass-milt/spamass-milt/spamass-milter.cpp,v >retrieving revision 1.91 >diff -u -r1.91 spamass-milter.cpp >--- spamass-milter.cpp 24 Jul 2006 19:59:17 -0000 1.91 >+++ spamass-milter.cpp 10 Mar 2010 18:52:22 -0000 >@@ -171,10 +171,6 @@ > bool flag_expand = false; /* alias/virtusertable expansion */ > bool warnedmacro = false; /* have we logged that we couldn't fetch a macro? */ > >-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ >-static pthread_mutex_t popen_mutex = PTHREAD_MUTEX_INITIALIZER; >-#endif >- > // {{{ main() > > int >@@ -461,59 +457,24 @@ > send another copy. The milter API will not let you send the > message AND return a failure code to the sender, so this is > the only way to do it. */ >-#if defined(__FreeBSD__) >- int rv; >-#endif >- >-#if defined(HAVE_ASPRINTF) >- char *buf; >-#else >- char buf[1024]; >-#endif >- char *fmt="%s \"%s\""; >+ char *popen_argv[3]; > FILE *p; > >-#if defined(HAVE_ASPRINTF) >- asprintf(&buf, fmt, SENDMAIL, spambucket); >-#else >-#if defined(HAVE_SNPRINTF) >- snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket); >-#else >- /* XXX possible buffer overflow here */ >- sprintf(buf, fmt, SENDMAIL, spambucket); >-#endif >-#endif >- >- debug(D_COPY, "calling %s", buf); >-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ >- rv = pthread_mutex_lock(&popen_mutex); >- if (rv) >- { >- debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv)); >- abort(); >- } >-#endif >- p = popen(buf, "w"); >+ popen_argv[0] = SENDMAIL; >+ popen_argv[1] = spambucket; >+ popen_argv[2] = NULL; >+ >+ debug(D_COPY, "calling %s %s", SENDMAIL, spambucket); >+ p = popenv(popen_argv, "w"); > if (!p) > { >- debug(D_COPY, "popen failed(%s). Will not send a copy to spambucket", strerror(errno)); >+ debug(D_COPY, "popenv failed(%s). Will not send a copy to spambucket", strerror(errno)); > } else > { > // Send message provided by SpamAssassin > fwrite(assassin->d().c_str(), assassin->d().size(), 1, p); >- pclose(p); p = NULL; >+ fclose(p); p = NULL; > } >-#if defined(__FreeBSD__) >- rv = pthread_mutex_unlock(&popen_mutex); >- if (rv) >- { >- debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv)); >- abort(); >- } >-#endif >-#if defined(HAVE_ASPRINTF) >- free(buf); >-#endif > } > return SMFIS_REJECT; > } >@@ -842,30 +803,19 @@ > /* open a pipe to sendmail so we can do address expansion */ > > char buf[1024]; >- char *fmt="%s -bv \"%s\" 2>&1"; >- >-#if defined(HAVE_SNPRINTF) >- snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]); >-#else >- /* XXX possible buffer overflow here */ >- sprintf(buf, fmt, SENDMAIL, envrcpt[0]); >-#endif >+ char *popen_argv[4]; >+ >+ popen_argv[0] = SENDMAIL; >+ popen_argv[1] = "-bv"; >+ popen_argv[2] = envrcpt[0]; >+ popen_argv[3] = NULL; > >- debug(D_RCPT, "calling %s", buf); >+ debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]); > >-#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ >- rv = pthread_mutex_lock(&popen_mutex); >- if (rv) >- { >- debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv)); >- abort(); >- } >-#endif >- >- p = popen(buf, "r"); >+ p = popenv(popen_argv, "r"); > if (!p) > { >- debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno)); >+ debug(D_RCPT, "popenv failed(%s). Will not expand aliases", strerror(errno)); > assassin->expandedrcpt.push_back(envrcpt[0]); > } else > { >@@ -890,16 +840,8 @@ > assassin->expandedrcpt.push_back(p+7); > } > } >- pclose(p); p = NULL; >+ fclose(p); p = NULL; > } >-#if defined(__FreeBSD__) >- rv = pthread_mutex_unlock(&popen_mutex); >- if (rv) >- { >- debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv)); >- abort(); >- } >-#endif > } else > { > assassin->expandedrcpt.push_back(envrcpt[0]); >@@ -2157,5 +2099,71 @@ > warnedmacro = true; > } > >+/* >+ untrusted-argument-safe popen function - only supports "r" and "w" modes >+ for simplicity, and always reads stdout and stderr in "r" mode. Call >+ fclose to close the FILE. >+*/ >+FILE *popenv(char *const argv[], const char *type) >+{ >+ FILE *iop; >+ int pdes[2]; >+ int save_errno; >+ if ((*type != 'r' && *type != 'w') || type[1]) >+ { >+ errno = EINVAL; >+ return (NULL); >+ } >+ if (pipe(pdes) < 0) >+ return (NULL); >+ switch (fork()) { >+ >+ case -1: /* Error. */ >+ save_errno = errno; >+ (void)close(pdes[0]); >+ (void)close(pdes[1]); >+ errno = save_errno; >+ return (NULL); >+ /* NOTREACHED */ >+ case 0: /* Child. */ >+ if (*type == 'r') { >+ /* >+ * The dup2() to STDIN_FILENO is repeated to avoid >+ * writing to pdes[1], which might corrupt the >+ * parent's copy. This isn't good enough in >+ * general, since the exit() is no return, so >+ * the compiler is free to corrupt all the local >+ * variables. >+ */ >+ (void)close(pdes[0]); >+ (void)dup2(pdes[1], STDOUT_FILENO); >+ (void)dup2(pdes[1], STDERR_FILENO); >+ if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) { >+ (void)close(pdes[1]); >+ } >+ } else { >+ if (pdes[0] != STDIN_FILENO) { >+ (void)dup2(pdes[0], STDIN_FILENO); >+ (void)close(pdes[0]); >+ } >+ (void)close(pdes[1]); >+ } >+ execv(argv[0], argv); >+ exit(127); >+ /* NOTREACHED */ >+ } >+ >+ /* Parent; assume fdopen can't fail. */ >+ if (*type == 'r') { >+ iop = fdopen(pdes[0], type); >+ (void)close(pdes[1]); >+ } else { >+ iop = fdopen(pdes[1], type); >+ (void)close(pdes[0]); >+ } >+ >+ return (iop); >+} >+ > // }}} > // vim6:ai:noexpandtab >Index: spamass-milter.h >=================================================================== >RCS file: /cvsroot/spamass-milt/spamass-milt/spamass-milter.h,v >retrieving revision 1.23 >diff -u -r1.23 spamass-milter.h >--- spamass-milter.h 7 Apr 2005 02:04:24 -0000 1.23 >+++ spamass-milter.h 10 Mar 2010 18:52:22 -0000 >@@ -186,5 +186,6 @@ > void parse_debuglevel(char* string); > char *strlwr(char *str); > void warnmacro(char *macro, char *scope); >+FILE *popenv(char *const argv[], const char *type); > > #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=224127">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 310049
:
224125
| 224127
