diff options
Diffstat (limited to 'meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch')
| -rw-r--r-- | meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch new file mode 100644 index 0000000000..104fa82dd6 --- /dev/null +++ b/meta/recipes-extended/screen/screen-4.0.3/screen-4.0.3-CVE-2009-1214.patch | |||
| @@ -0,0 +1,86 @@ | |||
| 1 | Upstream-Status: Backport | ||
| 2 | |||
| 3 | The patch to fix CVE-2009-1214 | ||
| 4 | A security flaw was found in the screen utility in the way it used to create | ||
| 5 | one particular temporary file. An attacker could use this flaw to perform | ||
| 6 | a symlink attack. | ||
| 7 | Fix race condition creating temporary file | ||
| 8 | |||
| 9 | Reference: | ||
| 10 | https://bugzilla.redhat.com/show_bug.cgi?id=492104 | ||
| 11 | |||
| 12 | Signed-off-by: Chenyang Guo <chenyang.guo@windriver.com> | ||
| 13 | --- | ||
| 14 | fileio.c | 48 ++++++++++++++++++++++++++++++++---------------- | ||
| 15 | 1 file changed, 32 insertions(+), 16 deletions(-) | ||
| 16 | |||
| 17 | --- a/fileio.c | ||
| 18 | +++ b/fileio.c | ||
| 19 | @@ -414,6 +414,14 @@ int dump; | ||
| 20 | } | ||
| 21 | public = !strcmp(fn, DEFAULT_BUFFERFILE); | ||
| 22 | # ifdef HAVE_LSTAT | ||
| 23 | + /* | ||
| 24 | + * Note: In the time between lstat() and open()/remove() below are | ||
| 25 | + * called, the file can be created/removed/modified. Therefore the | ||
| 26 | + * information lstat() returns is taken into consideration, but not | ||
| 27 | + * relied upon. In particular, the open()/remove() calls can fail, and | ||
| 28 | + * the code must account for that. Symlink attack could be mounted if | ||
| 29 | + * the code is changed carelessly. --rdancer 2009-01-11 | ||
| 30 | + */ | ||
| 31 | exists = !lstat(fn, &stb); | ||
| 32 | if (public && exists && (S_ISLNK(stb.st_mode) || stb.st_nlink > 1)) | ||
| 33 | { | ||
| 34 | @@ -432,28 +440,36 @@ int dump; | ||
| 35 | #ifdef COPY_PASTE | ||
| 36 | if (dump == DUMP_EXCHANGE && public) | ||
| 37 | { | ||
| 38 | + /* | ||
| 39 | + * Setting umask to zero is a bad idea -- the user surely doesn't | ||
| 40 | + * expect a publicly readable file in a publicly readable directory | ||
| 41 | + * --rdancer 2009-01-11 | ||
| 42 | + */ | ||
| 43 | + /* | ||
| 44 | old_umask = umask(0); | ||
| 45 | + */ | ||
| 46 | # ifdef HAVE_LSTAT | ||
| 47 | if (exists) | ||
| 48 | - { | ||
| 49 | - if ((fd = open(fn, O_WRONLY, 0666)) >= 0) | ||
| 50 | - { | ||
| 51 | - if (fstat(fd, &stb2) == 0 && stb.st_dev == stb2.st_dev && stb.st_ino == stb2.st_ino) | ||
| 52 | - ftruncate(fd, 0); | ||
| 53 | - else | ||
| 54 | - { | ||
| 55 | - close(fd); | ||
| 56 | - fd = -1; | ||
| 57 | - } | ||
| 58 | - } | ||
| 59 | - } | ||
| 60 | - else | ||
| 61 | - fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0666); | ||
| 62 | - f = fd >= 0 ? fdopen(fd, mode) : 0; | ||
| 63 | + if (remove(fn) == -1) | ||
| 64 | + { | ||
| 65 | + /* Error */ | ||
| 66 | + debug2("WriteFile: File exists and remove(%s) failed: %s\n", | ||
| 67 | + fn, strerror(errno)); | ||
| 68 | + UserReturn(0); | ||
| 69 | + } | ||
| 70 | # else | ||
| 71 | - f = fopen(fn, mode); | ||
| 72 | + (void) remove(fn); | ||
| 73 | # endif | ||
| 74 | + /* | ||
| 75 | + * No r/w permissions for anybody but the user, as the file may be in | ||
| 76 | + * a public directory -- if the user chooses, they can chmod the file | ||
| 77 | + * afterwards. --rdancer 2008-01-11 | ||
| 78 | + */ | ||
| 79 | + fd = open(fn, O_WRONLY|O_CREAT|O_EXCL, 0600); | ||
| 80 | + f = fd >= 0 ? fdopen(fd, mode) : 0; | ||
| 81 | + /* | ||
| 82 | umask(old_umask); | ||
| 83 | + */ | ||
| 84 | } | ||
| 85 | else | ||
| 86 | #endif /* COPY_PASTE */ | ||