Security fix for SA21436:

"A security issue has been reported in Heimdal, which potentially can be
 exploited by malicious, local users to perform certain actions with
 escalated privileges.

 The security issue is caused due to missing checks for whether the
 "setuid()" call has succeeded in the bundled rcp application. This may
 be exploited to perform certain actions with root privileges if the
 "setuid()" call fails due to e.g. resource limits."

http://secunia.com/advisories/21436/
http://www.pdc.kth.se/heimdal/advisory/2006-08-08/

Bump PKGREVISION.

7 files changed, 254 insertions, 3 deletions

diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile
index 0ba7288631c..f775ba9156a 100644
--- a/security/heimdal/Makefile
+++ b/security/heimdal/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.61 2006/07/05 04:39:14 jlam Exp $
+# $NetBSD: Makefile,v 1.62 2006/08/09 17:58:09 salo Exp $
 
 DISTNAME=	heimdal-0.7.2
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.pdc.kth.se/pub/heimdal/src/	\
 		ftp://ftp.sunet.se/pub/unix/admin/mirror-pdc/heimdal/src/
diff --git a/security/heimdal/distinfo b/security/heimdal/distinfo
index 6a76dc9b8d5..1b6df19420f 100644
--- a/security/heimdal/distinfo
+++ b/security/heimdal/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2006/07/05 04:39:14 jlam Exp $
+$NetBSD: distinfo,v 1.21 2006/08/09 17:58:09 salo Exp $
 
 SHA1 (heimdal-0.7.2.tar.gz) = a902e6ad7c31d940b588dc0235b348936f0d719d
 RMD160 (heimdal-0.7.2.tar.gz) = 0f028a9d5a6a66e8efc0397e4d8c8adc2183b409
@@ -6,3 +6,8 @@ Size (heimdal-0.7.2.tar.gz) = 4525734 bytes
 SHA1 (patch-ac) = 313c0a1f91e4f9546ae906f981adae0d499dd9cf
 SHA1 (patch-ad) = a7cfc038e76f8c3da38f8eb0ee48a7f8c7a9c7df
 SHA1 (patch-al) = 6035ef920b1a005902ae021b307fc4c3efc77449
+SHA1 (patch-am) = 538c0c3bb8806bdd3691d490ea4ceafc7acc0ca7
+SHA1 (patch-an) = 2f414a50520a345f3c875220d2b001516933fbac
+SHA1 (patch-ao) = 7401ad7a47ed8541663193f71bd52feafeeeb045
+SHA1 (patch-ap) = 4c28d64ecf1c55d7eb02d0be1cf3efeff81339c6
+SHA1 (patch-aq) = 3ac32c49d5880813998b5bfe8c474fbb87218cba
diff --git a/security/heimdal/patches/patch-am b/security/heimdal/patches/patch-am
new file mode 100644
index 00000000000..b55e4f44837
--- /dev/null
+++ b/security/heimdal/patches/patch-am
@@ -0,0 +1,25 @@
+$NetBSD: patch-am,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- appl/dceutils/k5dcecon.c.orig	2002-08-09 15:19:41.000000000 +0200
++++ appl/dceutils/k5dcecon.c	2006-08-09 19:42:15.000000000 +0200
+@@ -71,7 +71,7 @@
+ #endif
+ 
+ #ifdef __hpux
+-#define seteuid(A)		setresuid(-1,A,-1);
++#define seteuid(A)		setresuid(-1,A,-1)
+ #endif
+ 
+ 
+@@ -549,7 +549,8 @@ int k5dcecreate(luid, luser, pname, krbt
+ 	 */
+ 
+ 	if (uid == 0) {
+-		seteuid(luid);
++		if (seteuid(luid) < 0)
++			goto abort;
+ 	}  
+ 
+ 	cp = strchr(pname,'@');
diff --git a/security/heimdal/patches/patch-an b/security/heimdal/patches/patch-an
new file mode 100644
index 00000000000..78879014233
--- /dev/null
+++ b/security/heimdal/patches/patch-an
@@ -0,0 +1,145 @@
+$NetBSD: patch-an,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- appl/ftp/ftpd/ftpd.c.orig	2005-06-02 12:41:28.000000000 +0200
++++ appl/ftp/ftpd/ftpd.c	2006-08-09 19:42:15.000000000 +0200
+@@ -138,9 +138,9 @@ static int	 handleoobcmd(void);
+ static int	 checkuser (char *, char *);
+ static int	 checkaccess (char *);
+ static FILE	*dataconn (const char *, off_t, const char *);
+-static void	 dolog (struct sockaddr *sa, int len);
++static void	 dolog (struct sockaddr *, int);
+ static void	 end_login (void);
+-static FILE	*getdatasock (const char *);
++static FILE	*getdatasock (const char *, int);
+ static char	*gunique (char *);
+ static RETSIGTYPE	 lostconn (int);
+ static int	 receive_data (FILE *, FILE *);
+@@ -835,7 +835,8 @@ static void
+ end_login(void)
+ {
+ 
+-	seteuid((uid_t)0);
++	if (seteuid((uid_t)0) < 0)
++		fatal("Failed to seteuid");
+ 	if (logged_in)
+ 		ftpd_logwtmp(ttyline, "", "");
+ 	pw = NULL;
+@@ -1208,14 +1209,15 @@ done:
+ }
+ 
+ static FILE *
+-getdatasock(const char *mode)
++getdatasock(const char *mode, int domain)
+ {
+ 	int s, t, tries;
+ 
+ 	if (data >= 0)
+ 		return (fdopen(data, mode));
+-	seteuid(0);
+-	s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0);
++	if (seteuid(0) < 0)
++		fatal("Failed to seteuid");
++	s = socket(domain, SOCK_STREAM, 0);
+ 	if (s < 0)
+ 		goto bad;
+ 	socket_set_reuseaddr (s, 1);
+@@ -1232,7 +1234,8 @@ getdatasock(const char *mode)
+ 			goto bad;
+ 		sleep(tries);
+ 	}
+-	seteuid(pw->pw_uid);
++	if (seteuid(pw->pw_uid) < 0)
++		fatal("Failed to seteuid");
+ #ifdef IPTOS_THROUGHPUT
+ 	socket_set_tos (s, IPTOS_THROUGHPUT);
+ #endif
+@@ -1240,7 +1243,8 @@ getdatasock(const char *mode)
+ bad:
+ 	/* Return the real value of errno (close may change it) */
+ 	t = errno;
+-	seteuid((uid_t)pw->pw_uid);
++	if (seteuid((uid_t)pw->pw_uid) < 0)
++		fatal("Failed to seteuid");
+ 	close(s);
+ 	errno = t;
+ 	return (NULL);
+@@ -1271,7 +1275,7 @@ dataconn(const char *name, off_t size, c
+ {
+ 	char sizebuf[32];
+ 	FILE *file;
+-	int retry = 0;
++	int domain, retry = 0;
+ 
+ 	file_size = size;
+ 	byte_count = 0;
+@@ -1318,7 +1322,15 @@ dataconn(const char *name, off_t size, c
+ 	if (usedefault)
+ 		data_dest = his_addr;
+ 	usedefault = 1;
+-	file = getdatasock(mode);
++	/* 
++	 * Default to using the same socket type as the ctrl address,
++	 * unless we know the type of the data address.
++	 */
++	domain = data_dest->sa_family;
++	if (domain == PF_UNSPEC)
++	    domain = ctrl_addr->sa_family;
++
++	file = getdatasock(mode, domain);
+ 	if (file == NULL) {
+ 		char data_addr[256];
+ 
+@@ -1889,11 +1901,11 @@ dologout(int status)
+     transflag = 0;
+     urgflag = 0;
+     if (logged_in) {
+-	seteuid((uid_t)0);
+-	ftpd_logwtmp(ttyline, "", "");
+ #ifdef KRB4
+ 	cond_kdestroy();
+ #endif
++	seteuid((uid_t)0); /* No need to check, we call exit() below */
++	ftpd_logwtmp(ttyline, "", "");
+     }
+     /* beware of flushing buffers after a SIGPIPE */
+ #ifdef XXX
+@@ -2006,12 +2018,15 @@ pasv(void)
+ 				     0);
+ 	socket_set_portrange(pdata, restricted_data_ports, 
+ 	    pasv_addr->sa_family); 
+-	seteuid(0);
++	if (seteuid(0) < 0)
++		fatal("Failed to seteuid");
+ 	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+-		seteuid(pw->pw_uid);
++		if (seteuid(pw->pw_uid) < 0)
++			fatal("Failed to seteuid");
+ 		goto pasv_error;
+ 	}
+-	seteuid(pw->pw_uid);
++	if (seteuid(pw->pw_uid) < 0)
++		fatal("Failed to seteuid");
+ 	len = sizeof(pasv_addr_ss);
+ 	if (getsockname(pdata, pasv_addr, &len) < 0)
+ 		goto pasv_error;
+@@ -2050,12 +2065,15 @@ epsv(char *proto)
+ 				     0);
+ 	socket_set_portrange(pdata, restricted_data_ports, 
+ 	    pasv_addr->sa_family); 
+-	seteuid(0);
++	if (seteuid(0) < 0)
++		fatal("Failed to seteuid");
+ 	if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
+-		seteuid(pw->pw_uid);
++		if (seteuid(pw->pw_uid))
++			fatal("Failed to seteuid");
+ 		goto pasv_error;
+ 	}
+-	seteuid(pw->pw_uid);
++	if (seteuid(pw->pw_uid) < 0)
++		fatal("Failed to seteuid");
+ 	len = sizeof(pasv_addr_ss);
+ 	if (getsockname(pdata, pasv_addr, &len) < 0)
+ 		goto pasv_error;
diff --git a/security/heimdal/patches/patch-ao b/security/heimdal/patches/patch-ao
new file mode 100644
index 00000000000..342e457a8f8
--- /dev/null
+++ b/security/heimdal/patches/patch-ao
@@ -0,0 +1,44 @@
+$NetBSD: patch-ao,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- appl/rcp/rcp.c.orig	2005-05-11 13:04:30.000000000 +0200
++++ appl/rcp/rcp.c	2006-08-09 19:42:15.000000000 +0200
+@@ -119,13 +119,15 @@ main(int argc, char **argv)
+ 
+ 	if (fflag) {			/* Follow "protocol", send data. */
+ 		response();
+-		setuid(userid);
++		if (setuid(userid) < 0)
++			errx(1, "setuid failed");
+ 		source(argc, argv);
+ 		exit(errs);
+ 	}
+ 
+ 	if (tflag) {			/* Receive data. */
+-		setuid(userid);
++		if (setuid(userid) < 0)
++			errx(1, "setuid failed");
+ 		sink(argc, argv);
+ 		exit(errs);
+ 	}
+@@ -221,7 +223,8 @@ toremote(char *targ, int argc, char **ar
+ 				if (response() < 0)
+ 					exit(1);
+ 				free(bp);
+-				setuid(userid);
++				if (setuid(userid) < 0)
++					errx(1, "setuid failed");
+ 			}
+ 			source(1, argv+i);
+ 		}
+@@ -270,7 +273,8 @@ tolocal(int argc, char **argv)
+ 		}
+ 		free(bp);
+ 		sink(1, argv + argc - 1);
+-		seteuid(0);
++		if (seteuid(0) < 0)
++			exit(1);
+ 		close(remin);
+ 		remin = remout = -1;
+ 	}
diff --git a/security/heimdal/patches/patch-ap b/security/heimdal/patches/patch-ap
new file mode 100644
index 00000000000..0cf6ab9a525
--- /dev/null
+++ b/security/heimdal/patches/patch-ap
@@ -0,0 +1,16 @@
+$NetBSD: patch-ap,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- appl/rcp/util.c.orig	2005-04-18 09:52:58.000000000 +0200
++++ appl/rcp/util.c	2006-08-09 19:42:15.000000000 +0200
+@@ -112,7 +112,8 @@ susystem(s, userid)
+ 		return (127);
+ 
+ 	case 0:
+-		(void)setuid(userid);
++		if (setuid(userid) < 0)
++			_exit(127);
+ 		execl(_PATH_BSHELL, "sh", "-c", s, NULL);
+ 		_exit(127);
+ 	}
diff --git a/security/heimdal/patches/patch-aq b/security/heimdal/patches/patch-aq
new file mode 100644
index 00000000000..eeb146f1426
--- /dev/null
+++ b/security/heimdal/patches/patch-aq
@@ -0,0 +1,16 @@
+$NetBSD: patch-aq,v 1.1 2006/08/09 17:58:09 salo Exp $
+
+Security fix for SA21436.
+
+--- lib/roken/iruserok.c.orig	2005-04-12 13:28:54.000000000 +0200
++++ lib/roken/iruserok.c	2006-08-09 19:42:15.000000000 +0200
+@@ -250,7 +250,8 @@ again:
+ 		 * are protected read/write owner only.
+ 		 */
+ 		uid = geteuid();
+-		seteuid(pwd->pw_uid);
++		if (seteuid(pwd->pw_uid) < 0)
++			return (-1);
+ 		hostf = fopen(pbuf, "r");
+ 		seteuid(uid);
+