Attachment #57390 for bug #90622




qpopper (4.0.4-2.woody.5) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Backported upstream patch to fix unauthorised file read access
    [popper/pop_config.c, CAN-2005-1151]
  * Backported upstream patch to fix unauthorised file write access
    [popper/popauth.c, CAN-2005-1151]

 -- Martin Schulze <joey@infodrom.org>  Wed, 20 Apr 2005 20:27:57 +0200

qpopper (4.0.4-2.woody.4) stable-security; urgency=medium

  * Non-maintainer upload by the Security Team
++ qpopper-4.0.4/popper/pop_config.c

#include <string.h>
#include <errno.h>
#include <ctype.h>
#include <unistd.h>

#include "popper.h"
#include "utils.h"

    int         rslt;
    char        buf [ 256 ];
    struct stat stat_buf;
    BOOL	bUser		= FALSE;
    BOOL	bSpool		= FALSE;


    if ( p->bUser_opts ) {

                      p->user );
        else {
            rslt = stat ( buf, &stat_buf );
            if ( rslt == 0 )
		bUser = TRUE;
                if ( rslt == POP_FAILURE ) {
                    pop_log ( p, POP_PRIORITY, HERE,
                              "Unable to process user options file for user %s",
                              p->user );
                }
            }
        }
    } /* p->user_opts */


                      p->user );
        else {
            rslt = stat ( buf, &stat_buf );
            if ( rslt == 0 )
                bSpool = TRUE;
                if ( rslt == POP_FAILURE ) {
                    pop_log ( p, POP_PRIORITY, HERE,
                              "Unable to process spool options file for user %s",
                              p->user );
                }
            }
        }
    } /* p->spool_opts */

    /*
     * If we are to process either, do it as the user, not root
     */
    if ( bUser || bSpool ) {
	UID_T uid_save = 0;

        uid_save = geteuid();
        if ( seteuid ( pwp->pw_uid ) != 0 ) {
            rslt = POP_FAILURE; /* seteuid failed */
            pop_log ( p, POP_PRIORITY, HERE,
                      "seteuid(%i) for user %s failed",
                      pwp->pw_uid, p->user );
        } /* seteuid failed */
        else { /* we are now the user */
            if ( bUser ) {
                rslt = pop_config ( p, buf, CfgConnected );
		if ( rslt == POP_FAILURE )
			pop_log ( p, POP_PRIORITY, HERE,
				  "Unable to process user options file for user %s",
				  p->user );
	    }

            if ( bSpool ) {
                rslt = pop_config ( p, buf, CfgConnected );
		if ( rslt == POP_FAILURE )
			pop_log ( p, POP_PRIORITY, HERE,
				  "Unable to process spool options file for user %s",
				  p->user );
	    }

            if ( seteuid ( uid_save ) != 0 )
                pop_log ( p, POP_PRIORITY, HERE,
                          "seteuid(%i) back failed", uid_save );
        } /* we are now the user */
    } /* bUser || bSpool */
}


++ qpopper-4.0.4/popper/popauth.c

#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>

#ifndef HAVE_BCOPY
#  define bcopy(src,dest,len) (void) (memcpy(dest,src,len))

static void         helpful ( void );
static int          check_db_err ( void *db, const char *op, BOOL bExp );
static const char  *printable ( const char *p, int len );
static void         open_trace ( char *fname );


static void

}


void
open_trace ( char *tname )
{
    UID_T uid_save = -1;
    UID_T myuid    = -1;


    uid_save = geteuid();
    myuid = getuid();
    if ( seteuid ( myuid ) != 0 )
        adios ( HERE, "internal error @ %i", __LINE__ );
    
    trace_file = fopen ( tname, "a+" );
    if ( trace_file == NULL )
        adios ( HERE, "Unable to open trace file \"%s\": %s (%d)\n",
                tname, STRERROR(errno), errno );
    BLATHER1 ( "Trace and Debug destination is file \"%s\"",
               tname );
            
    if ( seteuid ( uid_save ) != 0 )
        adios ( HERE, "internal error @ %i", __LINE__ );
}


#ifndef HAVE_STRDUP
#include <stddef.h>


                helpful();
            case TRACESW:
                debug++;
		open_trace ( argv[1] );
                if ( trace_file == NULL )
                    adios ( HERE, 
                            "Unable to open trace file \"%s\": %s (%d)\n",
                            argv[1], STRERROR(errno), errno );
                BLATHER1 ( "Trace and Debug destination is file \"%s\"",
                           argv[1] );
                argc--;
                argv++;
                break;

Return to bug 90622

Lines 1-3 Link Here

(-)qpopper-4.0.4/debian/changelog (-25 / +82 lines)
		1	qpopper (4.0.4-2.woody.5) stable-security; urgency=high
		2
		3	* Non-maintainer upload by the Security Team
		4	* Backported upstream patch to fix unauthorised file read access
		5	[popper/pop_config.c, CAN-2005-1151]
		6	* Backported upstream patch to fix unauthorised file write access
		7	[popper/popauth.c, CAN-2005-1151]
		8
		9	-- Martin Schulze <joey@infodrom.org> Wed, 20 Apr 2005 20:27:57 +0200
		10
1	qpopper (4.0.4-2.woody.4) stable-security; urgency=medium	11	qpopper (4.0.4-2.woody.4) stable-security; urgency=medium
2		12
3	* Non-maintainer upload by the Security Team	13	* Non-maintainer upload by the Security Team
4	-- qpopper-4.0.4.orig/popper/pop_config.c	14	++ qpopper-4.0.4/popper/pop_config.c
Lines 85-90 Link Here
85	#include <string.h>	85	#include <string.h>
86	#include <errno.h>	86	#include <errno.h>
87	#include <ctype.h>	87	#include <ctype.h>
		88	#include <unistd.h>
88		89
89	#include "popper.h"	90	#include "popper.h"
90	#include "utils.h"	91	#include "utils.h"
Lines 1487-1492 Link Here
1487	int rslt;	1488	int rslt;
1488	char buf [ 256 ];	1489	char buf [ 256 ];
1489	struct stat stat_buf;	1490	struct stat stat_buf;
		1491	BOOL bUser = FALSE;
		1492	BOOL bSpool = FALSE;
1490		1493
1491		1494
1492	if ( p->bUser_opts ) {	1495	if ( p->bUser_opts ) {
Lines 1497-1510 Link Here
1497	p->user );	1500	p->user );
1498	else {	1501	else {
1499	rslt = stat ( buf, &stat_buf );	1502	rslt = stat ( buf, &stat_buf );
1500	if ( rslt == 0 ) {	1503	if ( rslt == 0 )
1501	rslt = pop_config ( p, buf, CfgUser );	1504	bUser = TRUE;
1502	if ( rslt == POP_FAILURE ) {
1503	pop_log ( p, POP_PRIORITY, HERE,
1504	"Unable to process user options file for user %s",
1505	p->user );
1506	}
1507	}
1508	}	1505	}
1509	} /* p->user_opts */	1506	} /* p->user_opts */
1510		1507
Lines 1517-1532 Link Here
1517	p->user );	1514	p->user );
1518	else {	1515	else {
1519	rslt = stat ( buf, &stat_buf );	1516	rslt = stat ( buf, &stat_buf );
1520	if ( rslt == 0 ) {	1517	if ( rslt == 0 )
1521	rslt = pop_config ( p, buf, CfgConnected );	1518	bSpool = TRUE;
1522	if ( rslt == POP_FAILURE ) {
1523	pop_log ( p, POP_PRIORITY, HERE,
1524	"Unable to process spool options file for user %s",
1525	p->user );
1526	}
1527	}
1528	}	1519	}
1529	} /* p->spool_opts */	1520	} /* p->spool_opts */
		1521
		1522	/*
		1523	* If we are to process either, do it as the user, not root
		1524	*/
		1525	if ( bUser \|\| bSpool ) {
		1526	UID_T uid_save = 0;
		1527
		1528	uid_save = geteuid();
		1529	if ( seteuid ( pwp->pw_uid ) != 0 ) {
		1530	rslt = POP_FAILURE; /* seteuid failed */
		1531	pop_log ( p, POP_PRIORITY, HERE,
		1532	"seteuid(%i) for user %s failed",
		1533	pwp->pw_uid, p->user );
		1534	} /* seteuid failed */
		1535	else { /* we are now the user */
		1536	if ( bUser ) {
		1537	rslt = pop_config ( p, buf, CfgConnected );
		1538	if ( rslt == POP_FAILURE )
		1539	pop_log ( p, POP_PRIORITY, HERE,
		1540	"Unable to process user options file for user %s",
		1541	p->user );
		1542	}
		1543
		1544	if ( bSpool ) {
		1545	rslt = pop_config ( p, buf, CfgConnected );
		1546	if ( rslt == POP_FAILURE )
		1547	pop_log ( p, POP_PRIORITY, HERE,
		1548	"Unable to process spool options file for user %s",
		1549	p->user );
		1550	}
		1551
		1552	if ( seteuid ( uid_save ) != 0 )
		1553	pop_log ( p, POP_PRIORITY, HERE,
		1554	"seteuid(%i) back failed", uid_save );
		1555	} /* we are now the user */
		1556	} /* bUser \|\| bSpool */
1530	}	1557	}
1531		1558
1532		1559
1533	-- qpopper-4.0.4.orig/popper/popauth.c	1560	++ qpopper-4.0.4/popper/popauth.c
Lines 107-112 Link Here
107	#include <fcntl.h>	107	#include <fcntl.h>
108	#include <errno.h>	108	#include <errno.h>
109	#include <string.h>	109	#include <string.h>
		110	#include <unistd.h>
110		111
111	#ifndef HAVE_BCOPY	112	#ifndef HAVE_BCOPY
112	# define bcopy(src,dest,len) (void) (memcpy(dest,src,len))	113	# define bcopy(src,dest,len) (void) (memcpy(dest,src,len))
Lines 277-282 Link Here
277	static void helpful ( void );	278	static void helpful ( void );
278	static int check_db_err ( void db, const char op, BOOL bExp );	279	static int check_db_err ( void db, const char op, BOOL bExp );
279	static const char printable ( const char p, int len );	280	static const char printable ( const char p, int len );
		281	static void open_trace ( char *fname );
280		282
281		283
282	static void	284	static void
Lines 453-458 Link Here
453	}	455	}
454		456
455		457
		458	void
		459	open_trace ( char *tname )
		460	{
		461	UID_T uid_save = -1;
		462	UID_T myuid = -1;
		463
		464
		465	uid_save = geteuid();
		466	myuid = getuid();
		467	if ( seteuid ( myuid ) != 0 )
		468	adios ( HERE, "internal error @ %i", __LINE__ );
		469
		470	trace_file = fopen ( tname, "a+" );
		471	if ( trace_file == NULL )
		472	adios ( HERE, "Unable to open trace file \"%s\": %s (%d)\n",
		473	tname, STRERROR(errno), errno );
		474	BLATHER1 ( "Trace and Debug destination is file \"%s\"",
		475	tname );
		476
		477	if ( seteuid ( uid_save ) != 0 )
		478	adios ( HERE, "internal error @ %i", __LINE__ );
		479	}
		480
		481
456	#ifndef HAVE_STRDUP	482	#ifndef HAVE_STRDUP
457	#include <stddef.h>	483	#include <stddef.h>
458		484
Lines 748-760 Link Here
748	helpful();	775	helpful();
749	case TRACESW:	776	case TRACESW:
750	debug++;	777	debug++;
751	trace_file = fopen ( argv[1], "a+" );	778	open_trace ( argv[1] );
752	if ( trace_file == NULL )
753	adios ( HERE,
754	"Unable to open trace file \"%s\": %s (%d)\n",
755	argv[1], STRERROR(errno), errno );
756	BLATHER1 ( "Trace and Debug destination is file \"%s\"",
757	argv[1] );
758	argc--;	779	argc--;
759	argv++;	780	argv++;
760	break;	781	break;