Message-ID: <20040820204212.GU2041@live>
Date: Fri, 20 Aug 2004 22:42:12 +0200
From: Florian Ernst <email address hidden>
To: <email address hidden>
Subject: Re: not fixed in unstable
On Mon, 9 Aug 2004 22:11:14 -0300, Joey Hess wrote:
> However, I see no
> indication that CAN-2003-0848 is fixed in unstable. As noted at the top
> of the bug, 2.7 is probably vulnerable. The sgid dropping should
> certainly be forward ported from 2.6-1.3.2.
Forward porting the patch is easy, it applies cleanly (just some
offset), except for the debian/changelog part. I don't know whether
this patch will be sufficient for v2.7, though, but I'd assume so as
the attached patch and the diff between v2.6 and v2.7 don't seem to
intersect...
Find attached the patch from DSA-428-1 (diff between v2.6-1.3.1 and
v2.6-1.3.2)
Cheers,
Flo
PS: Please lart me if I went to far in tagging this bug "patch".
diff -u slocate-2.6/main.c slocate-2.6/main.c
--- slocate-2.6/main.c
+++ slocate-2.6/main.c
@@ -339,6 +339,9 @@
char *part;
int i;
int res_errno;
+ char *tmp_ptr =3D NULL;
+ int last_sgid =3D 0;
+ struct stat db_stat;
=20
/* Make sure path is not empty */
if (!path || strlen(path) =3D=3D 0) return;
@@ -382,6 +385,28 @@
=20
/* Null terminate array */
SLOCATE_PATH[i] =3D NULL;
+=09
+ /* Sort sgid slocate db's to the top */
+ for (i =3D 0; SLOCATE_PATH[i]; i++) {
+ if (stat(SLOCATE_PATH[i], &db_stat) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not stat DB: %s: %s\n", progna=
me, SLOCATE_PATH[i], strerror(errno));
+
+ if (db_stat.st_gid !=3D SLOC_GID)
+ continue;
+ =09
+ if (i !=3D last_sgid) {
+ tmp_ptr =3D SLOCATE_PATH[last_sgid];
+ SLOCATE_PATH[last_sgid] =3D SLOCATE_PATH[i];
+ SLOCATE_PATH[i] =3D tmp_ptr;
+ }
+ =09
+ last_sgid +=3D 1;
+ =09
+ }
+=09
+ /* for (i =3D 0; SLOCATE_PATH[i]; i++)
+ printf("%s\n", SLOCATE_PATH[i]); */
+
}
=20
/* Parse Dash */
@@ -1152,6 +1177,22 @@
char *cp=3DNULL;
#endif
char *bucket_of_holding=3DNULL;
+ gid_t cur_gid;
+ struct stat db_stat;
+
+ cur_gid =3D getegid();
+
+ if (stat(database, &db_stat) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not stat '%d': %s\n", progname,=
strerror(errno));
+=09
+ /* If the database's file group is not apart of the 'slocate' group,
+ * drop privileges. When multiple databases are specified, the ones
+ * apart of the 'slocate' group will be searched first before the
+ * privileges are dropped. */ =20
+ if (cur_gid =3D=3D SLOC_GID && db_stat.st_gid !=3D SLOC_GID) {
+ if (setgid(GID) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not drop privileges.", prognam=
e);
+ }
=20
if ((fd =3D open(database,O_RDONLY)) =3D=3D -1) {
report_error(WARNING,QUIET,"%s: decode_db(): %s: %s\n",progname,database=
,strerror(errno));
@@ -1409,6 +1450,9 @@
/* Get user IDs */
UID =3D getuid(); =20
GID =3D getgid();
+ =09
+ /* Get the 'slocate' group GID */
+ SLOC_GID =3D get_gid(GRPFILE);
=20
/* Add the LOCATE_PATH environment variable to the list of databases to s=
earch in */
parse_decode_path(getenv("LOCATE_PATH"));
@@ -1533,11 +1577,7 @@
* with the -d option, etc */
=20
if (ADD_SLOCATEDB)
- parse_decode_path(SLOCATEDB);
-
- /* Get the 'slocate' group GID */
- SLOC_GID =3D get_gid(GRPFILE);
-=09
+ parse_decode_path(SLOCATEDB);=09
=09
/* if the -U option has been used, start to create the database at specif=
ied path */
if (SPECDIR)
diff -u slocate-2.6/debian/changelog slocate-2.6/debian/changelog
--- slocate-2.6/debian/changelog
+++ slocate-2.6/debian/changelog
@@ -1,3 +1,12 @@
+slocate (2.6-1.3.2) stable-security; urgency=3Dhigh
+
+ * 'slocate' sgid privileges are now dropped when searching databases that
+ are not apart of the 'slocate' group. This will prevent malicious user
+ supplied databases from elevating user access to the 'slocate' group.
+ See CAN-2003-0848, (closes: #226103)
+
+ -- Kevin Lindsay <email address hidden> Mon, 19 Jan 2004 06:16:54 +0000
+
slocate (2.6-1.3.1) stable-security; urgency=3Dhigh
=20
* Non-maintainer upload by the Security Team
--2tWkrNKppd65XSnD--
--HKOZ/JADkehwFk9I
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Message-ID: <20040820204212 .GU2041@ live>
Date: Fri, 20 Aug 2004 22:42:12 +0200
From: Florian Ernst <email address hidden>
To: <email address hidden>
Subject: Re: not fixed in unstable
--HKOZ/JADkehwFk9I "2tWkrNKppd65XS nD" Disposition: inline
Content-Type: multipart/mixed; boundary=
Content-
--2tWkrNKppd65XSnD Disposition: inline
Content-Type: text/plain; charset=us-ascii
Content-
package slocate
tags 226103 patch
thanks
On Mon, 9 Aug 2004 22:11:14 -0300, Joey Hess wrote:
> However, I see no
> indication that CAN-2003-0848 is fixed in unstable. As noted at the top
> of the bug, 2.7 is probably vulnerable. The sgid dropping should
> certainly be forward ported from 2.6-1.3.2.
Forward porting the patch is easy, it applies cleanly (just some
offset), except for the debian/changelog part. I don't know whether
this patch will be sufficient for v2.7, though, but I'd assume so as
the attached patch and the diff between v2.6 and v2.7 don't seem to
intersect...
Find attached the patch from DSA-428-1 (diff between v2.6-1.3.1 and
v2.6-1.3.2)
Cheers,
Flo
PS: Please lart me if I went to far in tagging this bug "patch".
--2tWkrNKppd65XSnD Disposition: attachment; filename= "DSA-428- 1.diff" Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -u slocate-2.6/main.c slocate-2.6/main.c PATH[i] , &db_stat) =3D=3D -1) PATH[last_ sgid]; PATH[last_ sgid] =3D SLOCATE_PATH[i]; of_holding= 3DNULL; O_RDONLY) ) =3D=3D -1) { error(WARNING, QUIET," %s: decode_db(): %s: %s\n",progname, database= decode_ path(getenv( "LOCATE_ PATH")) ; path(SLOCATEDB) ; path(SLOCATEDB) ;=09 2.6/debian/ changelog slocate- 2.6/debian/ changelog 2.6/debian/ changelog 2.6/debian/ changelog
--- slocate-2.6/main.c
+++ slocate-2.6/main.c
@@ -339,6 +339,9 @@
char *part;
int i;
int res_errno;
+ char *tmp_ptr =3D NULL;
+ int last_sgid =3D 0;
+ struct stat db_stat;
=20
/* Make sure path is not empty */
if (!path || strlen(path) =3D=3D 0) return;
@@ -382,6 +385,28 @@
=20
/* Null terminate array */
SLOCATE_PATH[i] =3D NULL;
+=09
+ /* Sort sgid slocate db's to the top */
+ for (i =3D 0; SLOCATE_PATH[i]; i++) {
+ if (stat(SLOCATE_
+ report_error(FATAL, QUIET, "%s: Could not stat DB: %s: %s\n", progna=
me, SLOCATE_PATH[i], strerror(errno));
+
+ if (db_stat.st_gid !=3D SLOC_GID)
+ continue;
+ =09
+ if (i !=3D last_sgid) {
+ tmp_ptr =3D SLOCATE_
+ SLOCATE_
+ SLOCATE_PATH[i] =3D tmp_ptr;
+ }
+ =09
+ last_sgid +=3D 1;
+ =09
+ }
+=09
+ /* for (i =3D 0; SLOCATE_PATH[i]; i++)
+ printf("%s\n", SLOCATE_PATH[i]); */
+
}
=20
/* Parse Dash */
@@ -1152,6 +1177,22 @@
char *cp=3DNULL;
#endif
char *bucket_
+ gid_t cur_gid;
+ struct stat db_stat;
+
+ cur_gid =3D getegid();
+
+ if (stat(database, &db_stat) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not stat '%d': %s\n", progname,=
strerror(errno));
+=09
+ /* If the database's file group is not apart of the 'slocate' group,
+ * drop privileges. When multiple databases are specified, the ones
+ * apart of the 'slocate' group will be searched first before the
+ * privileges are dropped. */ =20
+ if (cur_gid =3D=3D SLOC_GID && db_stat.st_gid !=3D SLOC_GID) {
+ if (setgid(GID) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not drop privileges.", prognam=
e);
+ }
=20
if ((fd =3D open(database,
report_
,strerror(errno));
@@ -1409,6 +1450,9 @@
/* Get user IDs */
UID =3D getuid(); =20
GID =3D getgid();
+ =09
+ /* Get the 'slocate' group GID */
+ SLOC_GID =3D get_gid(GRPFILE);
=20
/* Add the LOCATE_PATH environment variable to the list of databases to s=
earch in */
parse_
@@ -1533,11 +1577,7 @@
* with the -d option, etc */
=20
if (ADD_SLOCATEDB)
- parse_decode_
-
- /* Get the 'slocate' group GID */
- SLOC_GID =3D get_gid(GRPFILE);
-=09
+ parse_decode_
=09
/* if the -U option has been used, start to create the database at specif=
ied path */
if (SPECDIR)
diff -u slocate-
--- slocate-
+++ slocate-
@@ -1,3 +1,12 @@
+slocate (2.6-1.3.2) stable-security; urgency=3Dhigh
+
+ * 'slocate' sgid privileges are now dropped when searching databases that
+ are not apart of the 'slocate' group. This will prevent malicious user
+ supplied databases from elevating user access to the 'slocate' group.
+ See CAN-2003-0848, (closes: #226103)
+
+ -- Kevin Lindsay <email address hidden> Mon, 19 Jan 2004 06:16:54 +0000
+
slocate (2.6-1.3.1) stable-security; urgency=3Dhigh
=20
* Non-maintainer upload by the Security Team
--2tWkrNKppd65X SnD--
--HKOZ/JADkehwFk9I pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
+TVFLPnwRAnT1AJ 9nY7sZ7X4aTcEUS cnXIEbTo9x1UACe Ntil 4e4qSmBCIv8syxS 4=
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBJmIks3U
DPb2x+/
=Anbx
-----END PGP SIGNATURE-----
--HKOZ/ JADkehwFk9I- -