diff options
Diffstat (limited to 'meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch')
-rw-r--r-- | meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | 283 |
1 files changed, 283 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch new file mode 100644 index 0000000000..aea07bd803 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | |||
@@ -0,0 +1,283 @@ | |||
1 | From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jeffrey Bencteux <jeffbencteux@gmail.com> | ||
3 | Date: Fri, 30 Jun 2023 19:02:45 +0200 | ||
4 | Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check | ||
5 | set*id() return values | ||
6 | |||
7 | Several setuid(), setgid(), seteuid() and setguid() return values | ||
8 | were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially | ||
9 | leading to potential security issues. | ||
10 | |||
11 | CVE: CVE-2023-40303 | ||
12 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6] | ||
13 | Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com> | ||
14 | Signed-off-by: Simon Josefsson <simon@josefsson.org> | ||
15 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | ftpd/ftpd.c | 10 +++++++--- | ||
19 | src/rcp.c | 39 +++++++++++++++++++++++++++++++++------ | ||
20 | src/rlogin.c | 11 +++++++++-- | ||
21 | src/rsh.c | 25 +++++++++++++++++++++---- | ||
22 | src/rshd.c | 20 +++++++++++++++++--- | ||
23 | src/uucpd.c | 15 +++++++++++++-- | ||
24 | 6 files changed, 100 insertions(+), 20 deletions(-) | ||
25 | |||
26 | diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c | ||
27 | index 5db88d0..b52b122 100644 | ||
28 | --- a/ftpd/ftpd.c | ||
29 | +++ b/ftpd/ftpd.c | ||
30 | @@ -862,7 +862,9 @@ end_login (struct credentials *pcred) | ||
31 | char *remotehost = pcred->remotehost; | ||
32 | int atype = pcred->auth_type; | ||
33 | |||
34 | - seteuid ((uid_t) 0); | ||
35 | + if (seteuid ((uid_t) 0) == -1) | ||
36 | + _exit (EXIT_FAILURE); | ||
37 | + | ||
38 | if (pcred->logged_in) | ||
39 | { | ||
40 | logwtmp_keep_open (ttyline, "", ""); | ||
41 | @@ -1151,7 +1153,8 @@ getdatasock (const char *mode) | ||
42 | |||
43 | if (data >= 0) | ||
44 | return fdopen (data, mode); | ||
45 | - seteuid ((uid_t) 0); | ||
46 | + if (seteuid ((uid_t) 0) == -1) | ||
47 | + _exit (EXIT_FAILURE); | ||
48 | s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0); | ||
49 | if (s < 0) | ||
50 | goto bad; | ||
51 | @@ -1978,7 +1981,8 @@ passive (int epsv, int af) | ||
52 | else /* !AF_INET6 */ | ||
53 | ((struct sockaddr_in *) &pasv_addr)->sin_port = 0; | ||
54 | |||
55 | - seteuid ((uid_t) 0); | ||
56 | + if (seteuid ((uid_t) 0) == -1) | ||
57 | + _exit (EXIT_FAILURE); | ||
58 | if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0) | ||
59 | { | ||
60 | if (seteuid ((uid_t) cred.uid)) | ||
61 | diff --git a/src/rcp.c b/src/rcp.c | ||
62 | index bafa35f..366295c 100644 | ||
63 | --- a/src/rcp.c | ||
64 | +++ b/src/rcp.c | ||
65 | @@ -347,14 +347,23 @@ main (int argc, char *argv[]) | ||
66 | if (from_option) | ||
67 | { /* Follow "protocol", send data. */ | ||
68 | response (); | ||
69 | - setuid (userid); | ||
70 | + | ||
71 | + if (setuid (userid) == -1) | ||
72 | + { | ||
73 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
74 | + } | ||
75 | + | ||
76 | source (argc, argv); | ||
77 | exit (errs); | ||
78 | } | ||
79 | |||
80 | if (to_option) | ||
81 | { /* Receive data. */ | ||
82 | - setuid (userid); | ||
83 | + if (setuid (userid) == -1) | ||
84 | + { | ||
85 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
86 | + } | ||
87 | + | ||
88 | sink (argc, argv); | ||
89 | exit (errs); | ||
90 | } | ||
91 | @@ -539,7 +548,11 @@ toremote (char *targ, int argc, char *argv[]) | ||
92 | if (response () < 0) | ||
93 | exit (EXIT_FAILURE); | ||
94 | free (bp); | ||
95 | - setuid (userid); | ||
96 | + | ||
97 | + if (setuid (userid) == -1) | ||
98 | + { | ||
99 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
100 | + } | ||
101 | } | ||
102 | source (1, argv + i); | ||
103 | close (rem); | ||
104 | @@ -634,7 +647,12 @@ tolocal (int argc, char *argv[]) | ||
105 | ++errs; | ||
106 | continue; | ||
107 | } | ||
108 | - seteuid (userid); | ||
109 | + | ||
110 | + if (seteuid (userid) == -1) | ||
111 | + { | ||
112 | + error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
113 | + } | ||
114 | + | ||
115 | #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT | ||
116 | sslen = sizeof (ss); | ||
117 | (void) getpeername (rem, (struct sockaddr *) &ss, &sslen); | ||
118 | @@ -647,7 +665,12 @@ tolocal (int argc, char *argv[]) | ||
119 | #endif | ||
120 | vect[0] = target; | ||
121 | sink (1, vect); | ||
122 | - seteuid (effuid); | ||
123 | + | ||
124 | + if (seteuid (effuid) == -1) | ||
125 | + { | ||
126 | + error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
127 | + } | ||
128 | + | ||
129 | close (rem); | ||
130 | rem = -1; | ||
131 | #ifdef SHISHI | ||
132 | @@ -1453,7 +1476,11 @@ susystem (char *s, int userid) | ||
133 | return (127); | ||
134 | |||
135 | case 0: | ||
136 | - setuid (userid); | ||
137 | + if (setuid (userid) == -1) | ||
138 | + { | ||
139 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
140 | + } | ||
141 | + | ||
142 | execl (PATH_BSHELL, "sh", "-c", s, NULL); | ||
143 | _exit (127); | ||
144 | } | ||
145 | diff --git a/src/rlogin.c b/src/rlogin.c | ||
146 | index e5e11a7..6b38901 100644 | ||
147 | --- a/src/rlogin.c | ||
148 | +++ b/src/rlogin.c | ||
149 | @@ -649,8 +649,15 @@ try_connect: | ||
150 | /* Now change to the real user ID. We have to be set-user-ID root | ||
151 | to get the privileged port that rcmd () uses. We now want, however, | ||
152 | to run as the real user who invoked us. */ | ||
153 | - seteuid (uid); | ||
154 | - setuid (uid); | ||
155 | + if (seteuid (uid) == -1) | ||
156 | + { | ||
157 | + error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)"); | ||
158 | + } | ||
159 | + | ||
160 | + if (setuid (uid) == -1) | ||
161 | + { | ||
162 | + error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)"); | ||
163 | + } | ||
164 | |||
165 | doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */ | ||
166 | |||
167 | diff --git a/src/rsh.c b/src/rsh.c | ||
168 | index bd70372..b451a70 100644 | ||
169 | --- a/src/rsh.c | ||
170 | +++ b/src/rsh.c | ||
171 | @@ -278,8 +278,17 @@ main (int argc, char **argv) | ||
172 | { | ||
173 | if (asrsh) | ||
174 | *argv = (char *) "rlogin"; | ||
175 | - seteuid (getuid ()); | ||
176 | - setuid (getuid ()); | ||
177 | + | ||
178 | + if (seteuid (getuid ()) == -1) | ||
179 | + { | ||
180 | + error (EXIT_FAILURE, errno, "seteuid() failed"); | ||
181 | + } | ||
182 | + | ||
183 | + if (setuid (getuid ()) == -1) | ||
184 | + { | ||
185 | + error (EXIT_FAILURE, errno, "setuid() failed"); | ||
186 | + } | ||
187 | + | ||
188 | execv (PATH_RLOGIN, argv); | ||
189 | error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN); | ||
190 | } | ||
191 | @@ -543,8 +552,16 @@ try_connect: | ||
192 | error (0, errno, "setsockopt DEBUG (ignored)"); | ||
193 | } | ||
194 | |||
195 | - seteuid (uid); | ||
196 | - setuid (uid); | ||
197 | + if (seteuid (uid) == -1) | ||
198 | + { | ||
199 | + error (EXIT_FAILURE, errno, "seteuid() failed"); | ||
200 | + } | ||
201 | + | ||
202 | + if (setuid (uid) == -1) | ||
203 | + { | ||
204 | + error (EXIT_FAILURE, errno, "setuid() failed"); | ||
205 | + } | ||
206 | + | ||
207 | #ifdef HAVE_SIGACTION | ||
208 | sigemptyset (&sigs); | ||
209 | sigaddset (&sigs, SIGINT); | ||
210 | diff --git a/src/rshd.c b/src/rshd.c | ||
211 | index b824a10..8cdcd06 100644 | ||
212 | --- a/src/rshd.c | ||
213 | +++ b/src/rshd.c | ||
214 | @@ -1848,8 +1848,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) | ||
215 | pwd->pw_shell = PATH_BSHELL; | ||
216 | |||
217 | /* Set the gid, then uid to become the user specified by "locuser" */ | ||
218 | - setegid ((gid_t) pwd->pw_gid); | ||
219 | - setgid ((gid_t) pwd->pw_gid); | ||
220 | + if (setegid ((gid_t) pwd->pw_gid) == -1) | ||
221 | + { | ||
222 | + rshd_error ("Cannot drop privileges (setegid() failed)\n"); | ||
223 | + exit (EXIT_FAILURE); | ||
224 | + } | ||
225 | + | ||
226 | + if (setgid ((gid_t) pwd->pw_gid) == -1) | ||
227 | + { | ||
228 | + rshd_error ("Cannot drop privileges (setgid() failed)\n"); | ||
229 | + exit (EXIT_FAILURE); | ||
230 | + } | ||
231 | + | ||
232 | #ifdef HAVE_INITGROUPS | ||
233 | initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */ | ||
234 | #endif | ||
235 | @@ -1871,7 +1881,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen) | ||
236 | } | ||
237 | #endif /* WITH_PAM */ | ||
238 | |||
239 | - setuid ((uid_t) pwd->pw_uid); | ||
240 | + if (setuid ((uid_t) pwd->pw_uid) == -1) | ||
241 | + { | ||
242 | + rshd_error ("Cannot drop privileges (setuid() failed)\n"); | ||
243 | + exit (EXIT_FAILURE); | ||
244 | + } | ||
245 | |||
246 | /* We'll execute the client's command in the home directory | ||
247 | * of locuser. Note, that the chdir must be executed after | ||
248 | diff --git a/src/uucpd.c b/src/uucpd.c | ||
249 | index 55c3d44..6aba294 100644 | ||
250 | --- a/src/uucpd.c | ||
251 | +++ b/src/uucpd.c | ||
252 | @@ -254,7 +254,12 @@ doit (struct sockaddr *sap, socklen_t salen) | ||
253 | sprintf (Username, "USER=%s", user); | ||
254 | sprintf (Logname, "LOGNAME=%s", user); | ||
255 | dologin (pw, sap, salen); | ||
256 | - setgid (pw->pw_gid); | ||
257 | + | ||
258 | + if (setgid (pw->pw_gid) == -1) | ||
259 | + { | ||
260 | + fprintf (stderr, "setgid() failed"); | ||
261 | + return; | ||
262 | + } | ||
263 | #ifdef HAVE_INITGROUPS | ||
264 | initgroups (pw->pw_name, pw->pw_gid); | ||
265 | #endif | ||
266 | @@ -263,7 +268,13 @@ doit (struct sockaddr *sap, socklen_t salen) | ||
267 | fprintf (stderr, "Login incorrect."); | ||
268 | return; | ||
269 | } | ||
270 | - setuid (pw->pw_uid); | ||
271 | + | ||
272 | + if (setuid (pw->pw_uid) == -1) | ||
273 | + { | ||
274 | + fprintf (stderr, "setuid() failed"); | ||
275 | + return; | ||
276 | + } | ||
277 | + | ||
278 | execl (uucico_location, "uucico", NULL); | ||
279 | perror ("uucico server: execl"); | ||
280 | } | ||
281 | -- | ||
282 | 2.25.1 | ||
283 | |||