Ubuntu
slocate package

Bug #7373
Comment #24

Comment 24 for bug 7373

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-08-20:

#24

Message-ID: <20040820204212.GU2041@live>
Date: Fri, 20 Aug 2004 22:42:12 +0200
From: Florian Ernst <email address hidden>
To: <email address hidden>
Subject: Re: not fixed in unstable

--HKOZ/JADkehwFk9I
Content-Type: multipart/mixed; boundary="2tWkrNKppd65XSnD"
Content-Disposition: inline

--2tWkrNKppd65XSnD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

package slocate
tags 226103 patch
thanks

On Mon, 9 Aug 2004 22:11:14 -0300, Joey Hess wrote:
> However, I see no
> indication that CAN-2003-0848 is fixed in unstable. As noted at the top
> of the bug, 2.7 is probably vulnerable. The sgid dropping should
> certainly be forward ported from 2.6-1.3.2.

Forward porting the patch is easy, it applies cleanly (just some
offset), except for the debian/changelog part. I don't know whether
this patch will be sufficient for v2.7, though, but I'd assume so as
the attached patch and the diff between v2.6 and v2.7 don't seem to
intersect...
Find attached the patch from DSA-428-1 (diff between v2.6-1.3.1 and
v2.6-1.3.2)

Cheers,
Flo

PS: Please lart me if I went to far in tagging this bug "patch".

--2tWkrNKppd65XSnD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="DSA-428-1.diff"
Content-Transfer-Encoding: quoted-printable

diff -u slocate-2.6/main.c slocate-2.6/main.c
--- slocate-2.6/main.c
+++ slocate-2.6/main.c
@@ -339,6 +339,9 @@
  char *part;
  int i;
  int res_errno;
+ char *tmp_ptr =3D NULL;
+ int last_sgid =3D 0;
+ struct stat db_stat;
=20
  /* Make sure path is not empty */
  if (!path || strlen(path) =3D=3D 0) return;
@@ -382,6 +385,28 @@
=20
  /* Null terminate array */
  SLOCATE_PATH[i] =3D NULL;
+=09
+ /* Sort sgid slocate db's to the top */
+ for (i =3D 0; SLOCATE_PATH[i]; i++) {
+ if (stat(SLOCATE_PATH[i], &db_stat) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not stat DB: %s: %s\n", progna=
me, SLOCATE_PATH[i], strerror(errno));
+
+ if (db_stat.st_gid !=3D SLOC_GID)
+ continue;
+ =09
+ if (i !=3D last_sgid) {
+ tmp_ptr =3D SLOCATE_PATH[last_sgid];
+ SLOCATE_PATH[last_sgid] =3D SLOCATE_PATH[i];
+ SLOCATE_PATH[i] =3D tmp_ptr;
+ }
+ =09
+ last_sgid +=3D 1;
+ =09
+ }
+=09
+ /* for (i =3D 0; SLOCATE_PATH[i]; i++)
+ printf("%s\n", SLOCATE_PATH[i]); */
+
}
=20
/* Parse Dash */
@@ -1152,6 +1177,22 @@
  char *cp=3DNULL;
#endif
  char *bucket_of_holding=3DNULL;
+ gid_t cur_gid;
+ struct stat db_stat;
+
+ cur_gid =3D getegid();
+
+ if (stat(database, &db_stat) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not stat '%d': %s\n", progname,=
strerror(errno));
+=09
+ /* If the database's file group is not apart of the 'slocate' group,
+ * drop privileges. When multiple databases are specified, the ones
+ * apart of the 'slocate' group will be searched first before the
+ * privileges are dropped. */ =20
+ if (cur_gid =3D=3D SLOC_GID && db_stat.st_gid !=3D SLOC_GID) {
+ if (setgid(GID) =3D=3D -1)
+ report_error(FATAL, QUIET, "%s: Could not drop privileges.", prognam=
e);
+ }
=20
  if ((fd =3D open(database,O_RDONLY)) =3D=3D -1) {
   report_error(WARNING,QUIET,"%s: decode_db(): %s: %s\n",progname,database=
,strerror(errno));
@@ -1409,6 +1450,9 @@
  /* Get user IDs */
  UID =3D getuid(); =20
  GID =3D getgid();
+ =09
+ /* Get the 'slocate' group GID */
+ SLOC_GID =3D get_gid(GRPFILE);
=20
  /* Add the LOCATE_PATH environment variable to the list of databases to s=
earch in */
  parse_decode_path(getenv("LOCATE_PATH"));
@@ -1533,11 +1577,7 @@
   * with the -d option, etc */
=20
  if (ADD_SLOCATEDB)
- parse_decode_path(SLOCATEDB);
-
- /* Get the 'slocate' group GID */
- SLOC_GID =3D get_gid(GRPFILE);
-=09
+ parse_decode_path(SLOCATEDB);=09
=09
  /* if the -U option has been used, start to create the database at specif=
ied path */
  if (SPECDIR)
diff -u slocate-2.6/debian/changelog slocate-2.6/debian/changelog
--- slocate-2.6/debian/changelog
+++ slocate-2.6/debian/changelog
@@ -1,3 +1,12 @@
+slocate (2.6-1.3.2) stable-security; urgency=3Dhigh
+
+ * 'slocate' sgid privileges are now dropped when searching databases that
+ are not apart of the 'slocate' group. This will prevent malicious user
+ supplied databases from elevating user access to the 'slocate' group.
+ See CAN-2003-0848, (closes: #226103)
+
+ -- Kevin Lindsay <email address hidden> Mon, 19 Jan 2004 06:16:54 +0000
+
slocate (2.6-1.3.1) stable-security; urgency=3Dhigh
=20
   * Non-maintainer upload by the Security Team

--2tWkrNKppd65XSnD--

--HKOZ/JADkehwFk9I
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBJmIks3U+TVFLPnwRAnT1AJ9nY7sZ7X4aTcEUScnXIEbTo9x1UACeNtil
DPb2x+/4e4qSmBCIv8syxS4=
=Anbx
-----END PGP SIGNATURE-----

--HKOZ/JADkehwFk9I--

Message-ID: <20040820204212.GU2041@live>
Date: Fri, 20 Aug 2004 22:42:12 +0200
From: Florian Ernst <florian@uni-hd.de>
To: 226103@bugs.debian.org
Subject: Re: not fixed in unstable

--HKOZ/JADkehwFk9I
Content-Type: multipart/mixed; boundary="2tWkrNKppd65XSnD"
Content-Disposition: inline

--2tWkrNKppd65XSnD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

package slocate
tags 226103 patch
thanks

Cheers,
Flo

PS: Please lart me if I went to far in tagging this bug "patch".

--2tWkrNKppd65XSnD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="DSA-428-1.diff"
Content-Transfer-Encoding: quoted-printable

diff -u slocate-2.6/main.c slocate-2.6/main.c
--- slocate-2.6/main.c
+++ slocate-2.6/main.c
@@ -339,6 +339,9 @@
 	char *part;
 	int i;
 	int res_errno;
+	char *tmp_ptr =3D NULL;
+	int last_sgid =3D 0;
+	struct stat db_stat;
=20
 	/* Make sure path is not empty */
 	if (!path || strlen(path) =3D=3D 0) return;
@@ -382,6 +385,28 @@
=20
 	/* Null terminate array */
 	SLOCATE_PATH[i] =3D NULL;
+=09
+	/* Sort sgid slocate db's to the top */
+	for (i =3D 0; SLOCATE_PATH[i]; i++) {
+		if (stat(SLOCATE_PATH[i], &db_stat) =3D=3D -1)
+		    report_error(FATAL, QUIET, "%s: Could not stat DB: %s: %s\n", progna=
me, SLOCATE_PATH[i], strerror(errno));
+
+		if (db_stat.st_gid !=3D SLOC_GID)
+		    continue;
+	=09
+		if (i !=3D last_sgid) {
+			tmp_ptr =3D SLOCATE_PATH[last_sgid];
+			SLOCATE_PATH[last_sgid] =3D SLOCATE_PATH[i];
+			SLOCATE_PATH[i] =3D tmp_ptr;
+		}
+	=09
+		last_sgid +=3D 1;
+	=09
+	}
+=09
+	/* for (i =3D 0; SLOCATE_PATH[i]; i++)
+	    printf("%s\n", SLOCATE_PATH[i]); */
+
 }
=20
 /* Parse Dash */
@@ -1152,6 +1177,22 @@
 	char *cp=3DNULL;
 #endif
 	char *bucket_of_holding=3DNULL;
+	gid_t cur_gid;
+	struct stat db_stat;
+
+	cur_gid =3D getegid();
+
+	if (stat(database, &db_stat) =3D=3D -1)
+	    report_error(FATAL, QUIET, "%s: Could not stat '%d': %s\n", progname,=
 strerror(errno));
+=09
+	/* If the database's file group is not apart of the 'slocate' group,
+	 * drop privileges. When multiple databases are specified, the ones
+	 * apart of the 'slocate' group will be searched first before the
+	 * privileges are dropped. */      =20
+	if (cur_gid =3D=3D SLOC_GID && db_stat.st_gid !=3D SLOC_GID) {
+		if (setgid(GID) =3D=3D -1)
+		    report_error(FATAL, QUIET, "%s: Could not drop privileges.", prognam=
e);
+	}
=20
 	if ((fd =3D open(database,O_RDONLY)) =3D=3D -1) {
 		report_error(WARNING,QUIET,"%s: decode_db(): %s: %s\n",progname,database=
,strerror(errno));
@@ -1409,6 +1450,9 @@
 	/* Get user IDs */
 	UID =3D getuid();       =20
 	GID =3D getgid();
+		=09
+	/* Get the 'slocate' group GID */
+	SLOC_GID =3D get_gid(GRPFILE);
=20
 	/* Add the LOCATE_PATH environment variable to the list of databases to s=
earch in */
 	parse_decode_path(getenv("LOCATE_PATH"));
@@ -1533,11 +1577,7 @@
 	 * with the -d option, etc */
=20
 	if (ADD_SLOCATEDB)
-	    parse_decode_path(SLOCATEDB);
-
-	/* Get the 'slocate' group GID */
-	SLOC_GID =3D get_gid(GRPFILE);
-=09
+	    parse_decode_path(SLOCATEDB);=09
 =09
 	/* if the -U option has been used, start to create the database at specif=
ied path */
 	if (SPECDIR)
diff -u slocate-2.6/debian/changelog slocate-2.6/debian/changelog
--- slocate-2.6/debian/changelog
+++ slocate-2.6/debian/changelog
@@ -1,3 +1,12 @@
+slocate (2.6-1.3.2) stable-security; urgency=3Dhigh
+
+  * 'slocate' sgid privileges are now dropped when searching databases that
+    are not apart of the 'slocate' group. This will prevent malicious user
+    supplied databases from elevating user access to the 'slocate' group.
+    See CAN-2003-0848, (closes: #226103)
+
+ -- Kevin Lindsay <klindsay@debian.org>  Mon, 19 Jan 2004 06:16:54 +0000
+
 slocate (2.6-1.3.1) stable-security; urgency=3Dhigh
=20
   * Non-maintainer upload by the Security Team

--2tWkrNKppd65XSnD--

--HKOZ/JADkehwFk9I
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBJmIks3U+TVFLPnwRAnT1AJ9nY7sZ7X4aTcEUScnXIEbTo9x1UACeNtil
DPb2x+/4e4qSmBCIv8syxS4=
=Anbx
-----END PGP SIGNATURE-----

--HKOZ/JADkehwFk9I--

Ubuntuslocate package

Comment 24 for bug 7373

Ubuntu
slocate package