summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYue Tao <Yue.Tao@windriver.com>2014-04-14 12:41:17 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-05-21 09:08:59 +0100
commit27aba0a8d91a67e85f6c8ab44e41ff4205224505 (patch)
treecc3c14b547abd7216b168f6ce1303ae9c7b09c11
parent901a28b66176a63b1b3bb2a1f65fa0bc12f712c9 (diff)
downloadpoky-27aba0a8d91a67e85f6c8ab44e41ff4205224505.tar.gz
Screen: fix for Security Advisory CVE-2009-1214
GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with world-readable permissions, which might allow local users to obtain sensitive session information. (From OE-Core rev: 25a212d0154906e7a05075d015dbc1cfdfabb73a) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch86
-rw-r--r--meta/recipes-extended/screen/screen_4.0.3.bb1
2 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
new file mode 100644
index 0000000000..104fa82dd6
--- /dev/null
+++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch
@@ -0,0 +1,86 @@
1Upstream-Status: Backport
2
3The patch to fix CVE-2009-1214
4A security flaw was found in the screen utility in the way it used to create
5one particular temporary file. An attacker could use this flaw to perform
6a symlink attack.
7Fix race condition creating temporary file
8
9Reference:
10https://bugzilla.redhat.com/show_bug.cgi?id=492104
11
12Signed-off-by: Chenyang Guo <chenyang.guo@windriver.com>
13---
14 fileio.c | 48 ++++++++++++++++++++++++++++++++----------------
15 1 file changed, 32 insertions(+), 16 deletions(-)
16
17--- a/fileio.c
18+++ b/fileio.c
19@@ -414,6 +414,14 @@ int dump;
20 }
21 public = !strcmp(fn, DEFAULT_BUFFERFILE);
22 # ifdef HAVE_LSTAT
23+ /*
24+ * Note: In the time between lstat() and open()/remove() below are
25+ * called, the file can be created/removed/modified. Therefore the
26+ * information lstat() returns is taken into consideration, but not
27+ * relied upon. In particular, the open()/remove() calls can fail, and
28+ * the code must account for that. Symlink attack could be mounted if
29+ * the code is changed carelessly. --rdancer 2009-01-11
30+ */
31 exists = !lstat(fn, &stb);
32 if (public && exists && (S_ISLNK(stb.st_mode) || stb.st_nlink > 1))
33 {
34@@ -432,28 +440,36 @@ int dump;
35 #ifdef COPY_PASTE
36 if (dump == DUMP_EXCHANGE && public)
37 {
38+ /*
39+ * Setting umask to zero is a bad idea -- the user surely doesn't
40+ * expect a publicly readable file in a publicly readable directory
41+ * --rdancer 2009-01-11
42+ */
43+ /*
44 old_umask = umask(0);
45+ */
46 # ifdef HAVE_LSTAT
47 if (exists)
48- {
49- if ((fd = open(fn, O_WRONLY, 0666)) >= 0)
50- {
51- if (fstat(fd, &stb2) == 0 && stb.st_dev == stb2.st_dev && stb.st_ino == stb2.st_ino)
52- ftruncate(fd, 0);
53- else
54- {
55- close(fd);
56- fd = -1;
57- }
58- }
59- }
60- else
61- fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0666);
62- f = fd >= 0 ? fdopen(fd, mode) : 0;
63+ if (remove(fn) == -1)
64+ {
65+ /* Error */
66+ debug2("WriteFile: File exists and remove(%s) failed: %s\n",
67+ fn, strerror(errno));
68+ UserReturn(0);
69+ }
70 # else
71- f = fopen(fn, mode);
72+ (void) remove(fn);
73 # endif
74+ /*
75+ * No r/w permissions for anybody but the user, as the file may be in
76+ * a public directory -- if the user chooses, they can chmod the file
77+ * afterwards. --rdancer 2008-01-11
78+ */
79+ fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0600);
80+ f = fd >= 0 ? fdopen(fd, mode) : 0;
81+ /*
82 umask(old_umask);
83+ */
84 }
85 else
86 #endif /* COPY_PASTE */
diff --git a/meta/recipes-extended/screen/screen_4.0.3.bb b/meta/recipes-extended/screen/screen_4.0.3.bb
index 5850560fe4..a0aa15c0d3 100644
--- a/meta/recipes-extended/screen/screen_4.0.3.bb
+++ b/meta/recipes-extended/screen/screen_4.0.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz;name=tarball \
20 ${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \ 20 ${DEBIAN_MIRROR}/main/s/screen/screen_4.0.3-14.diff.gz;name=patch \
21 file://configure.patch \ 21 file://configure.patch \
22 file://fix-parallel-make.patch \ 22 file://fix-parallel-make.patch \
23 file://screen-4.0.3-CVE-2009-1214.patch \
23 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" 24 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
24 25
25PAM_SRC_URI = "file://screen.pam" 26PAM_SRC_URI = "file://screen.pam"