diff -u qpopper-4.0.4/debian/changelog qpopper-4.0.4/debian/changelog --- qpopper-4.0.4/debian/changelog +++ qpopper-4.0.4/debian/changelog @@ -1,3 +1,15 @@ +qpopper (4.0.4-2.woody.5) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Backported upstream patch to fix unauthorised file read access + [popper/pop_config.c, CAN-2005-1151] + * Backported upstream patch to fix unauthorised file write access + [popper/popauth.c, CAN-2005-1151] + + -- Martin Schulze Wed, 20 Apr 2005 20:27:57 +0200 + qpopper (4.0.4-2.woody.4) stable-security; urgency=medium * Non-maintainer upload by the Security Team only in patch2: unchanged: --- qpopper-4.0.4.orig/popper/pop_config.c +++ qpopper-4.0.4/popper/pop_config.c @@ -85,6 +85,7 @@ #include #include #include +#include #include "popper.h" #include "utils.h" @@ -1487,6 +1488,8 @@ int rslt; char buf [ 256 ]; struct stat stat_buf; + BOOL bUser = FALSE; + BOOL bSpool = FALSE; if ( p->bUser_opts ) { @@ -1497,14 +1500,8 @@ p->user ); else { rslt = stat ( buf, &stat_buf ); - if ( rslt == 0 ) { - rslt = pop_config ( p, buf, CfgUser ); - if ( rslt == POP_FAILURE ) { - pop_log ( p, POP_PRIORITY, HERE, - "Unable to process user options file for user %s", - p->user ); - } - } + if ( rslt == 0 ) + bUser = TRUE; } } /* p->user_opts */ @@ -1517,16 +1514,46 @@ p->user ); else { rslt = stat ( buf, &stat_buf ); - if ( rslt == 0 ) { - rslt = pop_config ( p, buf, CfgConnected ); - if ( rslt == POP_FAILURE ) { - pop_log ( p, POP_PRIORITY, HERE, - "Unable to process spool options file for user %s", - p->user ); - } - } + if ( rslt == 0 ) + bSpool = TRUE; } } /* p->spool_opts */ + + /* + * If we are to process either, do it as the user, not root + */ + if ( bUser || bSpool ) { + UID_T uid_save = 0; + + uid_save = geteuid(); + if ( seteuid ( pwp->pw_uid ) != 0 ) { + rslt = POP_FAILURE; /* seteuid failed */ + pop_log ( p, POP_PRIORITY, HERE, + "seteuid(%i) for user %s failed", + pwp->pw_uid, p->user ); + } /* seteuid failed */ + else { /* we are now the user */ + if ( bUser ) { + rslt = pop_config ( p, buf, CfgConnected ); + if ( rslt == POP_FAILURE ) + pop_log ( p, POP_PRIORITY, HERE, + "Unable to process user options file for user %s", + p->user ); + } + + if ( bSpool ) { + rslt = pop_config ( p, buf, CfgConnected ); + if ( rslt == POP_FAILURE ) + pop_log ( p, POP_PRIORITY, HERE, + "Unable to process spool options file for user %s", + p->user ); + } + + if ( seteuid ( uid_save ) != 0 ) + pop_log ( p, POP_PRIORITY, HERE, + "seteuid(%i) back failed", uid_save ); + } /* we are now the user */ + } /* bUser || bSpool */ } only in patch2: unchanged: --- qpopper-4.0.4.orig/popper/popauth.c +++ qpopper-4.0.4/popper/popauth.c @@ -107,6 +107,7 @@ #include #include #include +#include #ifndef HAVE_BCOPY # define bcopy(src,dest,len) (void) (memcpy(dest,src,len)) @@ -277,6 +278,7 @@ static void helpful ( void ); static int check_db_err ( void *db, const char *op, BOOL bExp ); static const char *printable ( const char *p, int len ); +static void open_trace ( char *fname ); static void @@ -453,6 +455,30 @@ } +void +open_trace ( char *tname ) +{ + UID_T uid_save = -1; + UID_T myuid = -1; + + + uid_save = geteuid(); + myuid = getuid(); + if ( seteuid ( myuid ) != 0 ) + adios ( HERE, "internal error @ %i", __LINE__ ); + + trace_file = fopen ( tname, "a+" ); + if ( trace_file == NULL ) + adios ( HERE, "Unable to open trace file \"%s\": %s (%d)\n", + tname, STRERROR(errno), errno ); + BLATHER1 ( "Trace and Debug destination is file \"%s\"", + tname ); + + if ( seteuid ( uid_save ) != 0 ) + adios ( HERE, "internal error @ %i", __LINE__ ); +} + + #ifndef HAVE_STRDUP #include @@ -748,13 +775,7 @@ helpful(); case TRACESW: debug++; - trace_file = fopen ( argv[1], "a+" ); - if ( trace_file == NULL ) - adios ( HERE, - "Unable to open trace file \"%s\": %s (%d)\n", - argv[1], STRERROR(errno), errno ); - BLATHER1 ( "Trace and Debug destination is file \"%s\"", - argv[1] ); + open_trace ( argv[1] ); argc--; argv++; break;