From 2b0544cbb680415f3baabb7cdc0723955cb105e9 Mon Sep 17 00:00:00 2001 From: salo Date: Wed, 9 Aug 2006 17:58:09 +0000 Subject: Security fix for SA21436: "A security issue has been reported in Heimdal, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. The security issue is caused due to missing checks for whether the "setuid()" call has succeeded in the bundled rcp application. This may be exploited to perform certain actions with root privileges if the "setuid()" call fails due to e.g. resource limits." http://secunia.com/advisories/21436/ http://www.pdc.kth.se/heimdal/advisory/2006-08-08/ Bump PKGREVISION. --- security/heimdal/Makefile | 4 +- security/heimdal/distinfo | 7 +- security/heimdal/patches/patch-am | 25 +++++++ security/heimdal/patches/patch-an | 145 ++++++++++++++++++++++++++++++++++++++ security/heimdal/patches/patch-ao | 44 ++++++++++++ security/heimdal/patches/patch-ap | 16 +++++ security/heimdal/patches/patch-aq | 16 +++++ 7 files changed, 254 insertions(+), 3 deletions(-) create mode 100644 security/heimdal/patches/patch-am create mode 100644 security/heimdal/patches/patch-an create mode 100644 security/heimdal/patches/patch-ao create mode 100644 security/heimdal/patches/patch-ap create mode 100644 security/heimdal/patches/patch-aq (limited to 'security') diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile index 0ba7288631c..f775ba9156a 100644 --- a/security/heimdal/Makefile +++ b/security/heimdal/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.61 2006/07/05 04:39:14 jlam Exp $ +# $NetBSD: Makefile,v 1.62 2006/08/09 17:58:09 salo Exp $ DISTNAME= heimdal-0.7.2 -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= security MASTER_SITES= ftp://ftp.pdc.kth.se/pub/heimdal/src/ \ ftp://ftp.sunet.se/pub/unix/admin/mirror-pdc/heimdal/src/ diff --git a/security/heimdal/distinfo b/security/heimdal/distinfo index 6a76dc9b8d5..1b6df19420f 100644 --- a/security/heimdal/distinfo +++ b/security/heimdal/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.20 2006/07/05 04:39:14 jlam Exp $ +$NetBSD: distinfo,v 1.21 2006/08/09 17:58:09 salo Exp $ SHA1 (heimdal-0.7.2.tar.gz) = a902e6ad7c31d940b588dc0235b348936f0d719d RMD160 (heimdal-0.7.2.tar.gz) = 0f028a9d5a6a66e8efc0397e4d8c8adc2183b409 @@ -6,3 +6,8 @@ Size (heimdal-0.7.2.tar.gz) = 4525734 bytes SHA1 (patch-ac) = 313c0a1f91e4f9546ae906f981adae0d499dd9cf SHA1 (patch-ad) = a7cfc038e76f8c3da38f8eb0ee48a7f8c7a9c7df SHA1 (patch-al) = 6035ef920b1a005902ae021b307fc4c3efc77449 +SHA1 (patch-am) = 538c0c3bb8806bdd3691d490ea4ceafc7acc0ca7 +SHA1 (patch-an) = 2f414a50520a345f3c875220d2b001516933fbac +SHA1 (patch-ao) = 7401ad7a47ed8541663193f71bd52feafeeeb045 +SHA1 (patch-ap) = 4c28d64ecf1c55d7eb02d0be1cf3efeff81339c6 +SHA1 (patch-aq) = 3ac32c49d5880813998b5bfe8c474fbb87218cba diff --git a/security/heimdal/patches/patch-am b/security/heimdal/patches/patch-am new file mode 100644 index 00000000000..b55e4f44837 --- /dev/null +++ b/security/heimdal/patches/patch-am @@ -0,0 +1,25 @@ +$NetBSD: patch-am,v 1.1 2006/08/09 17:58:09 salo Exp $ + +Security fix for SA21436. + +--- appl/dceutils/k5dcecon.c.orig 2002-08-09 15:19:41.000000000 +0200 ++++ appl/dceutils/k5dcecon.c 2006-08-09 19:42:15.000000000 +0200 +@@ -71,7 +71,7 @@ + #endif + + #ifdef __hpux +-#define seteuid(A) setresuid(-1,A,-1); ++#define seteuid(A) setresuid(-1,A,-1) + #endif + + +@@ -549,7 +549,8 @@ int k5dcecreate(luid, luser, pname, krbt + */ + + if (uid == 0) { +- seteuid(luid); ++ if (seteuid(luid) < 0) ++ goto abort; + } + + cp = strchr(pname,'@'); diff --git a/security/heimdal/patches/patch-an b/security/heimdal/patches/patch-an new file mode 100644 index 00000000000..78879014233 --- /dev/null +++ b/security/heimdal/patches/patch-an @@ -0,0 +1,145 @@ +$NetBSD: patch-an,v 1.1 2006/08/09 17:58:09 salo Exp $ + +Security fix for SA21436. + +--- appl/ftp/ftpd/ftpd.c.orig 2005-06-02 12:41:28.000000000 +0200 ++++ appl/ftp/ftpd/ftpd.c 2006-08-09 19:42:15.000000000 +0200 +@@ -138,9 +138,9 @@ static int handleoobcmd(void); + static int checkuser (char *, char *); + static int checkaccess (char *); + static FILE *dataconn (const char *, off_t, const char *); +-static void dolog (struct sockaddr *sa, int len); ++static void dolog (struct sockaddr *, int); + static void end_login (void); +-static FILE *getdatasock (const char *); ++static FILE *getdatasock (const char *, int); + static char *gunique (char *); + static RETSIGTYPE lostconn (int); + static int receive_data (FILE *, FILE *); +@@ -835,7 +835,8 @@ static void + end_login(void) + { + +- seteuid((uid_t)0); ++ if (seteuid((uid_t)0) < 0) ++ fatal("Failed to seteuid"); + if (logged_in) + ftpd_logwtmp(ttyline, "", ""); + pw = NULL; +@@ -1208,14 +1209,15 @@ done: + } + + static FILE * +-getdatasock(const char *mode) ++getdatasock(const char *mode, int domain) + { + int s, t, tries; + + if (data >= 0) + return (fdopen(data, mode)); +- seteuid(0); +- s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0); ++ if (seteuid(0) < 0) ++ fatal("Failed to seteuid"); ++ s = socket(domain, SOCK_STREAM, 0); + if (s < 0) + goto bad; + socket_set_reuseaddr (s, 1); +@@ -1232,7 +1234,8 @@ getdatasock(const char *mode) + goto bad; + sleep(tries); + } +- seteuid(pw->pw_uid); ++ if (seteuid(pw->pw_uid) < 0) ++ fatal("Failed to seteuid"); + #ifdef IPTOS_THROUGHPUT + socket_set_tos (s, IPTOS_THROUGHPUT); + #endif +@@ -1240,7 +1243,8 @@ getdatasock(const char *mode) + bad: + /* Return the real value of errno (close may change it) */ + t = errno; +- seteuid((uid_t)pw->pw_uid); ++ if (seteuid((uid_t)pw->pw_uid) < 0) ++ fatal("Failed to seteuid"); + close(s); + errno = t; + return (NULL); +@@ -1271,7 +1275,7 @@ dataconn(const char *name, off_t size, c + { + char sizebuf[32]; + FILE *file; +- int retry = 0; ++ int domain, retry = 0; + + file_size = size; + byte_count = 0; +@@ -1318,7 +1322,15 @@ dataconn(const char *name, off_t size, c + if (usedefault) + data_dest = his_addr; + usedefault = 1; +- file = getdatasock(mode); ++ /* ++ * Default to using the same socket type as the ctrl address, ++ * unless we know the type of the data address. ++ */ ++ domain = data_dest->sa_family; ++ if (domain == PF_UNSPEC) ++ domain = ctrl_addr->sa_family; ++ ++ file = getdatasock(mode, domain); + if (file == NULL) { + char data_addr[256]; + +@@ -1889,11 +1901,11 @@ dologout(int status) + transflag = 0; + urgflag = 0; + if (logged_in) { +- seteuid((uid_t)0); +- ftpd_logwtmp(ttyline, "", ""); + #ifdef KRB4 + cond_kdestroy(); + #endif ++ seteuid((uid_t)0); /* No need to check, we call exit() below */ ++ ftpd_logwtmp(ttyline, "", ""); + } + /* beware of flushing buffers after a SIGPIPE */ + #ifdef XXX +@@ -2006,12 +2018,15 @@ pasv(void) + 0); + socket_set_portrange(pdata, restricted_data_ports, + pasv_addr->sa_family); +- seteuid(0); ++ if (seteuid(0) < 0) ++ fatal("Failed to seteuid"); + if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { +- seteuid(pw->pw_uid); ++ if (seteuid(pw->pw_uid) < 0) ++ fatal("Failed to seteuid"); + goto pasv_error; + } +- seteuid(pw->pw_uid); ++ if (seteuid(pw->pw_uid) < 0) ++ fatal("Failed to seteuid"); + len = sizeof(pasv_addr_ss); + if (getsockname(pdata, pasv_addr, &len) < 0) + goto pasv_error; +@@ -2050,12 +2065,15 @@ epsv(char *proto) + 0); + socket_set_portrange(pdata, restricted_data_ports, + pasv_addr->sa_family); +- seteuid(0); ++ if (seteuid(0) < 0) ++ fatal("Failed to seteuid"); + if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { +- seteuid(pw->pw_uid); ++ if (seteuid(pw->pw_uid)) ++ fatal("Failed to seteuid"); + goto pasv_error; + } +- seteuid(pw->pw_uid); ++ if (seteuid(pw->pw_uid) < 0) ++ fatal("Failed to seteuid"); + len = sizeof(pasv_addr_ss); + if (getsockname(pdata, pasv_addr, &len) < 0) + goto pasv_error; diff --git a/security/heimdal/patches/patch-ao b/security/heimdal/patches/patch-ao new file mode 100644 index 00000000000..342e457a8f8 --- /dev/null +++ b/security/heimdal/patches/patch-ao @@ -0,0 +1,44 @@ +$NetBSD: patch-ao,v 1.1 2006/08/09 17:58:09 salo Exp $ + +Security fix for SA21436. + +--- appl/rcp/rcp.c.orig 2005-05-11 13:04:30.000000000 +0200 ++++ appl/rcp/rcp.c 2006-08-09 19:42:15.000000000 +0200 +@@ -119,13 +119,15 @@ main(int argc, char **argv) + + if (fflag) { /* Follow "protocol", send data. */ + response(); +- setuid(userid); ++ if (setuid(userid) < 0) ++ errx(1, "setuid failed"); + source(argc, argv); + exit(errs); + } + + if (tflag) { /* Receive data. */ +- setuid(userid); ++ if (setuid(userid) < 0) ++ errx(1, "setuid failed"); + sink(argc, argv); + exit(errs); + } +@@ -221,7 +223,8 @@ toremote(char *targ, int argc, char **ar + if (response() < 0) + exit(1); + free(bp); +- setuid(userid); ++ if (setuid(userid) < 0) ++ errx(1, "setuid failed"); + } + source(1, argv+i); + } +@@ -270,7 +273,8 @@ tolocal(int argc, char **argv) + } + free(bp); + sink(1, argv + argc - 1); +- seteuid(0); ++ if (seteuid(0) < 0) ++ exit(1); + close(remin); + remin = remout = -1; + } diff --git a/security/heimdal/patches/patch-ap b/security/heimdal/patches/patch-ap new file mode 100644 index 00000000000..0cf6ab9a525 --- /dev/null +++ b/security/heimdal/patches/patch-ap @@ -0,0 +1,16 @@ +$NetBSD: patch-ap,v 1.1 2006/08/09 17:58:09 salo Exp $ + +Security fix for SA21436. + +--- appl/rcp/util.c.orig 2005-04-18 09:52:58.000000000 +0200 ++++ appl/rcp/util.c 2006-08-09 19:42:15.000000000 +0200 +@@ -112,7 +112,8 @@ susystem(s, userid) + return (127); + + case 0: +- (void)setuid(userid); ++ if (setuid(userid) < 0) ++ _exit(127); + execl(_PATH_BSHELL, "sh", "-c", s, NULL); + _exit(127); + } diff --git a/security/heimdal/patches/patch-aq b/security/heimdal/patches/patch-aq new file mode 100644 index 00000000000..eeb146f1426 --- /dev/null +++ b/security/heimdal/patches/patch-aq @@ -0,0 +1,16 @@ +$NetBSD: patch-aq,v 1.1 2006/08/09 17:58:09 salo Exp $ + +Security fix for SA21436. + +--- lib/roken/iruserok.c.orig 2005-04-12 13:28:54.000000000 +0200 ++++ lib/roken/iruserok.c 2006-08-09 19:42:15.000000000 +0200 +@@ -250,7 +250,8 @@ again: + * are protected read/write owner only. + */ + uid = geteuid(); +- seteuid(pwd->pw_uid); ++ if (seteuid(pwd->pw_uid) < 0) ++ return (-1); + hostf = fopen(pbuf, "r"); + seteuid(uid); + -- cgit v1.2.3