inetutils: fix CVE-2023-40303

GNU inetutils through 2.4 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the setuid system call fails when a process is trying to drop privileges before letting an ordinary user control the activities of the process. Refernces: https://nvd.nist.gov/vuln/detail/CVE-2023-40303 (From OE-Core rev: b8e2dad0650b8a80e3d85e6d87fda1a0e2fb195f) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2023-08-29 14:24:40 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-09-04 04:13:24 -1000
commit: cccf6723f3188ebe1da2a85c14f63e8a9a33e776 (patch)
tree: cd9228a79477e3a1e254c9952b1d4e484b29aeef
parent: 2f5d4fa3495bea5ed0a4232b14cdeba39f27b75e (diff)
download: poky-cccf6723f3188ebe1da2a85c14f63e8a9a33e776.tar.gz
3 files changed, 544 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 0000000000..04fd9b1f85
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,284 @@
+From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Date: Mon, 28 Aug 2023 15:35:19 +0000
+Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
+set*id() return values
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ ftpd/ftpd.c  | 10 +++++++---
+ src/rcp.c    | 39 +++++++++++++++++++++++++++++++++------
+ src/rlogin.c | 11 +++++++++--
+ src/rsh.c    | 25 +++++++++++++++++++++----
+ src/rshd.c   | 20 +++++++++++++++++---
+ src/uucpd.c  | 15 +++++++++++++--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 92b2cca..009f3f1 100644
+--- a/ftpd/ftpd.c
+++ b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+-  seteuid ((uid_t) 0);
+  if (seteuid ((uid_t) 0) == -1)
+    _exit (EXIT_FAILURE);
+
+   if (pcred->logged_in)
+     {
+       logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+   if (data >= 0)
+     return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
+  if (seteuid ((uid_t) 0) == -1)
+    _exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+     goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+   else /* !AF_INET6 */
+     ((struct sockaddr_in *) &pasv_addr)->sin_port = 0;
+-  seteuid ((uid_t) 0);
+  if (seteuid ((uid_t) 0) == -1)
+    _exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0)
+     {
+       if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index 75adb25..f913256 100644
+--- a/src/rcp.c
+++ b/src/rcp.c
+@@ -345,14 +345,23 @@ main (int argc, char *argv[])
+   if (from_option)
+     {                          /* Follow "protocol", send data. */
+       response ();
+-      setuid (userid);
+
+      if (setuid (userid) == -1)
+      {
+       error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+      }
+
+       source (argc, argv);
+       exit (errs);
+     }
+   if (to_option)
+     {                          /* Receive data. */
+-      setuid (userid);
+      if (setuid (userid) == -1)
+      {
+       error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+      }
+
+       sink (argc, argv);
+       exit (errs);
+     }
+@@ -537,7 +546,11 @@ toremote (char *targ, int argc, char *argv[])
+              if (response () < 0)
+                exit (EXIT_FAILURE);
+              free (bp);
+-             setuid (userid);
+
+             if (setuid (userid) == -1)
+             {
+               error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+             }
+            }
+          source (1, argv + i);
+          close (rem);
+@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[])
+          ++errs;
+          continue;
+        }
+-      seteuid (userid);
+
+      if (seteuid (userid) == -1)
+      {
+       error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+      }
+
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+       sslen = sizeof (ss);
+       (void) getpeername (rem, (struct sockaddr *) &ss, &sslen);
+@@ -643,7 +661,12 @@ tolocal (int argc, char *argv[])
+ #endif
+       vect[0] = target;
+       sink (1, vect);
+-      seteuid (effuid);
+
+      if (seteuid (effuid) == -1)
+      {
+             error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+      }
+
+       close (rem);
+       rem = -1;
+ #ifdef SHISHI
+@@ -1441,7 +1464,11 @@ susystem (char *s, int userid)
+       return (127);
+     case 0:
+-      setuid (userid);
+      if (setuid (userid) == -1)
+      {
+       error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+      }
+
+       execl (PATH_BSHELL, "sh", "-c", s, NULL);
+       _exit (127);
+     }
+diff --git a/src/rlogin.c b/src/rlogin.c
+index aa6426f..9bf9645 100644
+--- a/src/rlogin.c
+++ b/src/rlogin.c
+@@ -647,8 +647,15 @@ try_connect:
+   /* Now change to the real user ID.  We have to be set-user-ID root
+      to get the privileged port that rcmd () uses.  We now want, however,
+      to run as the real user who invoked us.  */
+-  seteuid (uid);
+-  setuid (uid);
+  if (seteuid (uid) == -1)
+  {
+   error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+  }
+
+  if (setuid (uid) == -1)
+  {
+   error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+  }
+   doit (&osmask);      /* The old mask will activate SIGURG and SIGUSR1!  */
+diff --git a/src/rsh.c b/src/rsh.c
+index 2d622ca..7b9cf22 100644
+--- a/src/rsh.c
+++ b/src/rsh.c
+@@ -276,8 +276,17 @@ main (int argc, char **argv)
+     {
+       if (asrsh)
+        *argv = (char *) "rlogin";
+-      seteuid (getuid ());
+-      setuid (getuid ());
+
+      if (seteuid (getuid ()) == -1)
+      {
+        error (EXIT_FAILURE, errno, "seteuid() failed");
+      }
+
+      if (setuid (getuid ()) == -1)
+      {
+       error (EXIT_FAILURE, errno, "setuid() failed");
+      }
+
+       execv (PATH_RLOGIN, argv);
+       error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+     }
+@@ -541,8 +550,16 @@ try_connect:
+        error (0, errno, "setsockopt DEBUG (ignored)");
+     }
+-  seteuid (uid);
+-  setuid (uid);
+  if (seteuid (uid) == -1)
+  {
+    error (EXIT_FAILURE, errno, "seteuid() failed");
+  }
+
+  if (setuid (uid) == -1)
+  {
+    error (EXIT_FAILURE, errno, "setuid() failed");
+  }
+
+ #ifdef HAVE_SIGACTION
+   sigemptyset (&sigs);
+   sigaddset (&sigs, SIGINT);
+diff --git a/src/rshd.c b/src/rshd.c
+index d1c0d0c..19d9a60 100644
+--- a/src/rshd.c
+++ b/src/rshd.c
+@@ -1847,8 +1847,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+     pwd->pw_shell = PATH_BSHELL;
+   /* Set the gid, then uid to become the user specified by "locuser" */
+-  setegid ((gid_t) pwd->pw_gid);
+-  setgid ((gid_t) pwd->pw_gid);
+  if (setegid ((gid_t) pwd->pw_gid) == -1)
+  {
+    rshd_error ("Cannot drop privileges (setegid() failed)\n");
+    exit (EXIT_FAILURE);
+  }
+
+  if (setgid ((gid_t) pwd->pw_gid) == -1)
+  {
+    rshd_error ("Cannot drop privileges (setgid() failed)\n");
+    exit (EXIT_FAILURE);
+  }
+
+ #ifdef HAVE_INITGROUPS
+   initgroups (pwd->pw_name, pwd->pw_gid);      /* BSD groups */
+ #endif
+@@ -1870,7 +1880,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+     }
+ #endif /* WITH_PAM */
+-  setuid ((uid_t) pwd->pw_uid);
+  if (setuid ((uid_t) pwd->pw_uid) == -1)
+  {
+    rshd_error ("Cannot drop privileges (setuid() failed)\n");
+    exit (EXIT_FAILURE);
+  }
+   /* We'll execute the client's command in the home directory
+    * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 107589e..34be165 100644
+--- a/src/uucpd.c
+++ b/src/uucpd.c
+@@ -252,7 +252,12 @@ doit (struct sockaddr *sap, socklen_t salen)
+   snprintf (Username, sizeof (Username), "USER=%s", user);
+   snprintf (Logname, sizeof (Logname), "LOGNAME=%s", user);
+   dologin (pw, sap, salen);
+-  setgid (pw->pw_gid);
+
+  if (setgid (pw->pw_gid) == -1)
+  {
+    fprintf (stderr, "setgid() failed");
+    return;
+  }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -261,7 +266,13 @@ doit (struct sockaddr *sap, socklen_t salen)
+       fprintf (stderr, "Login incorrect.");
+       return;
+     }
+-  setuid (pw->pw_uid);
+
+  if (setuid (pw->pw_uid) == -1)
+  {
+    fprintf (stderr, "setuid() failed");
+    return;
+  }
+
+   execl (uucico_location, "uucico", NULL);
+   perror ("uucico server: execl");
+ }
+--
+2.40.0
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
new file mode 100644
index 0000000000..f4252b5f34
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
@@ -0,0 +1,258 @@
+From 9122999252c7e21eb7774de11d539748e7bdf46d Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Tue, 29 Aug 2023 06:42:11 +0000
+Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit.
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/rcp.c    | 42 ++++++++++++++++++++++++------------------
+ src/rlogin.c | 12 ++++++------
+ src/rsh.c    | 26 +++++++++++++-------------
+ src/rshd.c   | 24 ++++++++++++------------
+ src/uucpd.c  | 16 ++++++++--------
+ 5 files changed, 63 insertions(+), 57 deletions(-)
+diff --git a/src/rcp.c b/src/rcp.c
+index 7018e35..e504f8a 100644
+--- a/src/rcp.c
+++ b/src/rcp.c
+@@ -347,9 +347,10 @@ main (int argc, char *argv[])
+       response ();
+       if (setuid (userid) == -1)
+-      {
+-       error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
+       {
+         error (EXIT_FAILURE, 0,
+                "Could not drop privileges (setuid() failed)");
+       }
+       source (argc, argv);
+       exit (errs);
+@@ -358,9 +359,10 @@ main (int argc, char *argv[])
+   if (to_option)
+     {                          /* Receive data. */
+       if (setuid (userid) == -1)
+-      {
+-       error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
+       {
+         error (EXIT_FAILURE, 0,
+                "Could not drop privileges (setuid() failed)");
+       }
+       sink (argc, argv);
+       exit (errs);
+@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[])
+              free (bp);
+              if (setuid (userid) == -1)
+-             {
+-               error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-             }
+               {
+                 error (EXIT_FAILURE, 0,
+                        "Could not drop privileges (setuid() failed)");
+               }
+            }
+          source (1, argv + i);
+          close (rem);
+@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[])
+        }
+       if (seteuid (userid) == -1)
+-      {
+-       error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-      }
+       {
+         error (EXIT_FAILURE, 0,
+                "Could not drop privileges (seteuid() failed)");
+       }
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+       sslen = sizeof (ss);
+@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[])
+       sink (1, vect);
+       if (seteuid (effuid) == -1)
+-      {
+-             error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-      }
+       {
+         error (EXIT_FAILURE, 0,
+                "Could not drop privileges (seteuid() failed)");
+       }
+       close (rem);
+       rem = -1;
+@@ -1465,9 +1470,10 @@ susystem (char *s, int userid)
+     case 0:
+       if (setuid (userid) == -1)
+-      {
+-       error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
+       {
+         error (EXIT_FAILURE, 0,
+                "Could not drop privileges (setuid() failed)");
+       }
+       execl (PATH_BSHELL, "sh", "-c", s, NULL);
+       _exit (127);
+diff --git a/src/rlogin.c b/src/rlogin.c
+index 9bf9645..a0c1237 100644
+--- a/src/rlogin.c
+++ b/src/rlogin.c
+@@ -648,14 +648,14 @@ try_connect:
+      to get the privileged port that rcmd () uses.  We now want, however,
+      to run as the real user who invoked us.  */
+   if (seteuid (uid) == -1)
+-  {
+-   error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-  }
+    {
+      error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+    }
+   if (setuid (uid) == -1)
+-  {
+-   error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-  }
+    {
+      error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+    }
+   doit (&osmask);      /* The old mask will activate SIGURG and SIGUSR1!  */
+diff --git a/src/rsh.c b/src/rsh.c
+index 7b9cf22..c8f50d3 100644
+--- a/src/rsh.c
+++ b/src/rsh.c
+@@ -278,14 +278,14 @@ main (int argc, char **argv)
+        *argv = (char *) "rlogin";
+       if (seteuid (getuid ()) == -1)
+-      {
+-        error (EXIT_FAILURE, errno, "seteuid() failed");
+-      }
+-
+       {
+         error (EXIT_FAILURE, errno, "seteuid() failed");
+       }
+
+       if (setuid (getuid ()) == -1)
+-      {
+-       error (EXIT_FAILURE, errno, "setuid() failed");
+-      }
+       {
+         error (EXIT_FAILURE, errno, "setuid() failed");
+       }
+       execv (PATH_RLOGIN, argv);
+       error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+@@ -551,14 +551,14 @@ try_connect:
+     }
+   if (seteuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, errno, "seteuid() failed");
+-  }
+    {
+      error (EXIT_FAILURE, errno, "seteuid() failed");
+    }
+   if (setuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, errno, "setuid() failed");
+-  }
+    {
+      error (EXIT_FAILURE, errno, "setuid() failed");
+    }
+ #ifdef HAVE_SIGACTION
+   sigemptyset (&sigs);
+diff --git a/src/rshd.c b/src/rshd.c
+index 707790e..df43edf 100644
+--- a/src/rshd.c
+++ b/src/rshd.c
+@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+   /* Set the gid, then uid to become the user specified by "locuser" */
+   if (setegid ((gid_t) pwd->pw_gid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setegid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
+    {
+      rshd_error ("Cannot drop privileges (setegid() failed)\n");
+      exit (EXIT_FAILURE);
+    }
+   if (setgid ((gid_t) pwd->pw_gid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setgid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
+    {
+      rshd_error ("Cannot drop privileges (setgid() failed)\n");
+      exit (EXIT_FAILURE);
+    }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pwd->pw_name, pwd->pw_gid);      /* BSD groups */
+@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ #endif /* WITH_PAM */
+   if (setuid ((uid_t) pwd->pw_uid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setuid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
+    {
+      rshd_error ("Cannot drop privileges (setuid() failed)\n");
+      exit (EXIT_FAILURE);
+    }
+   /* We'll execute the client's command in the home directory
+    * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 29cfce3..afe24f3 100644
+--- a/src/uucpd.c
+++ b/src/uucpd.c
+@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+   dologin (pw, sap, salen);
+   if (setgid (pw->pw_gid) == -1)
+-  {
+-    fprintf (stderr, "setgid() failed");
+-    return;
+-  }
+    {
+      fprintf (stderr, "setgid() failed");
+      return;
+    }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+     }
+   if (setuid (pw->pw_uid) == -1)
+-  {
+-    fprintf (stderr, "setuid() failed");
+-    return;
+-  }
+    {
+      fprintf (stderr, "setuid() failed");
+      return;
+    }
+   execl (uucico_location, "uucico", NULL);
+   perror ("uucico server: execl");
+--
+2.40.0
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.4.bb b/meta/recipes-connectivity/inetutils/inetutils_2.4.bb
index 6519331141..032c0d6b24 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.4.bb
@@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
           file://tftpd.xinetd.inetutils \
           file://inetutils-1.9-PATH_PROCNET_DEV.patch \
           file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
+           file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \
+           file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
 "
 inherit autotools gettext update-alternatives texinfo
author	Yogita Urade <yogita.urade@windriver.com>	2023-08-29 14:24:40 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-09-04 04:13:24 -1000
commit	cccf6723f3188ebe1da2a85c14f63e8a9a33e776 (patch)
tree	cd9228a79477e3a1e254c9952b1d4e484b29aeef
parent	2f5d4fa3495bea5ed0a4232b14cdeba39f27b75e (diff)
download	poky-cccf6723f3188ebe1da2a85c14f63e8a9a33e776.tar.gz

diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch new file mode 100644 index 0000000000..04fd9b1f85 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,284 @@
		1	From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001
		2	From: Jeffrey Bencteux <jeffbencteux@gmail.com>
		3	Date: Mon, 28 Aug 2023 15:35:19 +0000
		4	Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
		5	set*id() return values
		6
		7	Several setuid(), setgid(), seteuid() and setguid() return values
		8	were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
		9	leading to potential security issues.
		10
		11	Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
		12	Signed-off-by: Simon Josefsson <simon@josefsson.org>
		13
		14	CVE: CVE-2023-40303
		15
		16	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
		17
		18	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		19	---
		20	ftpd/ftpd.c \| 10 +++++++---
		21	src/rcp.c \| 39 +++++++++++++++++++++++++++++++++------
		22	src/rlogin.c \| 11 +++++++++--
		23	src/rsh.c \| 25 +++++++++++++++++++++----
		24	src/rshd.c \| 20 +++++++++++++++++---
		25	src/uucpd.c \| 15 +++++++++++++--
		26	6 files changed, 100 insertions(+), 20 deletions(-)
		27
		28	diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
		29	index 92b2cca..009f3f1 100644
		30	--- a/ftpd/ftpd.c
		31	+++ b/ftpd/ftpd.c
		32	@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
		33	char *remotehost = pcred->remotehost;
		34	int atype = pcred->auth_type;
		35
		36	- seteuid ((uid_t) 0);
		37	+ if (seteuid ((uid_t) 0) == -1)
		38	+ _exit (EXIT_FAILURE);
		39	+
		40	if (pcred->logged_in)
		41	{
		42	logwtmp_keep_open (ttyline, "", "");
		43	@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
		44
		45	if (data >= 0)
		46	return fdopen (data, mode);
		47	- seteuid ((uid_t) 0);
		48	+ if (seteuid ((uid_t) 0) == -1)
		49	+ _exit (EXIT_FAILURE);
		50	s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
		51	if (s < 0)
		52	goto bad;
		53	@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
		54	else /* !AF_INET6 */
		55	((struct sockaddr_in *) &pasv_addr)->sin_port = 0;
		56
		57	- seteuid ((uid_t) 0);
		58	+ if (seteuid ((uid_t) 0) == -1)
		59	+ _exit (EXIT_FAILURE);
		60	if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0)
		61	{
		62	if (seteuid ((uid_t) cred.uid))
		63	diff --git a/src/rcp.c b/src/rcp.c
		64	index 75adb25..f913256 100644
		65	--- a/src/rcp.c
		66	+++ b/src/rcp.c
		67	@@ -345,14 +345,23 @@ main (int argc, char *argv[])
		68	if (from_option)
		69	{ /* Follow "protocol", send data. */
		70	response ();
		71	- setuid (userid);
		72	+
		73	+ if (setuid (userid) == -1)
		74	+ {
		75	+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		76	+ }
		77	+
		78	source (argc, argv);
		79	exit (errs);
		80	}
		81
		82	if (to_option)
		83	{ /* Receive data. */
		84	- setuid (userid);
		85	+ if (setuid (userid) == -1)
		86	+ {
		87	+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		88	+ }
		89	+
		90	sink (argc, argv);
		91	exit (errs);
		92	}
		93	@@ -537,7 +546,11 @@ toremote (char targ, int argc, char argv[])
		94	if (response () < 0)
		95	exit (EXIT_FAILURE);
		96	free (bp);
		97	- setuid (userid);
		98	+
		99	+ if (setuid (userid) == -1)
		100	+ {
		101	+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		102	+ }
		103	}
		104	source (1, argv + i);
		105	close (rem);
		106	@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[])
		107	++errs;
		108	continue;
		109	}
		110	- seteuid (userid);
		111	+
		112	+ if (seteuid (userid) == -1)
		113	+ {
		114	+ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
		115	+ }
		116	+
		117	#if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
		118	sslen = sizeof (ss);
		119	(void) getpeername (rem, (struct sockaddr *) &ss, &sslen);
		120	@@ -643,7 +661,12 @@ tolocal (int argc, char *argv[])
		121	#endif
		122	vect[0] = target;
		123	sink (1, vect);
		124	- seteuid (effuid);
		125	+
		126	+ if (seteuid (effuid) == -1)
		127	+ {
		128	+ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
		129	+ }
		130	+
		131	close (rem);
		132	rem = -1;
		133	#ifdef SHISHI
		134	@@ -1441,7 +1464,11 @@ susystem (char *s, int userid)
		135	return (127);
		136
		137	case 0:
		138	- setuid (userid);
		139	+ if (setuid (userid) == -1)
		140	+ {
		141	+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		142	+ }
		143	+
		144	execl (PATH_BSHELL, "sh", "-c", s, NULL);
		145	_exit (127);
		146	}
		147	diff --git a/src/rlogin.c b/src/rlogin.c
		148	index aa6426f..9bf9645 100644
		149	--- a/src/rlogin.c
		150	+++ b/src/rlogin.c
		151	@@ -647,8 +647,15 @@ try_connect:
		152	/* Now change to the real user ID. We have to be set-user-ID root
		153	to get the privileged port that rcmd () uses. We now want, however,
		154	to run as the real user who invoked us. */
		155	- seteuid (uid);
		156	- setuid (uid);
		157	+ if (seteuid (uid) == -1)
		158	+ {
		159	+ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
		160	+ }
		161	+
		162	+ if (setuid (uid) == -1)
		163	+ {
		164	+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		165	+ }
		166
		167	doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */
		168
		169	diff --git a/src/rsh.c b/src/rsh.c
		170	index 2d622ca..7b9cf22 100644
		171	--- a/src/rsh.c
		172	+++ b/src/rsh.c
		173	@@ -276,8 +276,17 @@ main (int argc, char **argv)
		174	{
		175	if (asrsh)
		176	argv = (char ) "rlogin";
		177	- seteuid (getuid ());
		178	- setuid (getuid ());
		179	+
		180	+ if (seteuid (getuid ()) == -1)
		181	+ {
		182	+ error (EXIT_FAILURE, errno, "seteuid() failed");
		183	+ }
		184	+
		185	+ if (setuid (getuid ()) == -1)
		186	+ {
		187	+ error (EXIT_FAILURE, errno, "setuid() failed");
		188	+ }
		189	+
		190	execv (PATH_RLOGIN, argv);
		191	error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
		192	}
		193	@@ -541,8 +550,16 @@ try_connect:
		194	error (0, errno, "setsockopt DEBUG (ignored)");
		195	}
		196
		197	- seteuid (uid);
		198	- setuid (uid);
		199	+ if (seteuid (uid) == -1)
		200	+ {
		201	+ error (EXIT_FAILURE, errno, "seteuid() failed");
		202	+ }
		203	+
		204	+ if (setuid (uid) == -1)
		205	+ {
		206	+ error (EXIT_FAILURE, errno, "setuid() failed");
		207	+ }
		208	+
		209	#ifdef HAVE_SIGACTION
		210	sigemptyset (&sigs);
		211	sigaddset (&sigs, SIGINT);
		212	diff --git a/src/rshd.c b/src/rshd.c
		213	index d1c0d0c..19d9a60 100644
		214	--- a/src/rshd.c
		215	+++ b/src/rshd.c
		216	@@ -1847,8 +1847,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
		217	pwd->pw_shell = PATH_BSHELL;
		218
		219	/* Set the gid, then uid to become the user specified by "locuser" */
		220	- setegid ((gid_t) pwd->pw_gid);
		221	- setgid ((gid_t) pwd->pw_gid);
		222	+ if (setegid ((gid_t) pwd->pw_gid) == -1)
		223	+ {
		224	+ rshd_error ("Cannot drop privileges (setegid() failed)\n");
		225	+ exit (EXIT_FAILURE);
		226	+ }
		227	+
		228	+ if (setgid ((gid_t) pwd->pw_gid) == -1)
		229	+ {
		230	+ rshd_error ("Cannot drop privileges (setgid() failed)\n");
		231	+ exit (EXIT_FAILURE);
		232	+ }
		233	+
		234	#ifdef HAVE_INITGROUPS
		235	initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */
		236	#endif
		237	@@ -1870,7 +1880,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
		238	}
		239	#endif /* WITH_PAM */
		240
		241	- setuid ((uid_t) pwd->pw_uid);
		242	+ if (setuid ((uid_t) pwd->pw_uid) == -1)
		243	+ {
		244	+ rshd_error ("Cannot drop privileges (setuid() failed)\n");
		245	+ exit (EXIT_FAILURE);
		246	+ }
		247
		248	/* We'll execute the client's command in the home directory
		249	* of locuser. Note, that the chdir must be executed after
		250	diff --git a/src/uucpd.c b/src/uucpd.c
		251	index 107589e..34be165 100644
		252	--- a/src/uucpd.c
		253	+++ b/src/uucpd.c
		254	@@ -252,7 +252,12 @@ doit (struct sockaddr *sap, socklen_t salen)
		255	snprintf (Username, sizeof (Username), "USER=%s", user);
		256	snprintf (Logname, sizeof (Logname), "LOGNAME=%s", user);
		257	dologin (pw, sap, salen);
		258	- setgid (pw->pw_gid);
		259	+
		260	+ if (setgid (pw->pw_gid) == -1)
		261	+ {
		262	+ fprintf (stderr, "setgid() failed");
		263	+ return;
		264	+ }
		265	#ifdef HAVE_INITGROUPS
		266	initgroups (pw->pw_name, pw->pw_gid);
		267	#endif
		268	@@ -261,7 +266,13 @@ doit (struct sockaddr *sap, socklen_t salen)
		269	fprintf (stderr, "Login incorrect.");
		270	return;
		271	}
		272	- setuid (pw->pw_uid);
		273	+
		274	+ if (setuid (pw->pw_uid) == -1)
		275	+ {
		276	+ fprintf (stderr, "setuid() failed");
		277	+ return;
		278	+ }
		279	+
		280	execl (uucico_location, "uucico", NULL);
		281	perror ("uucico server: execl");
		282	}
		283	--
		284	2.40.0


diff --git a/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch new file mode 100644 index 0000000000..f4252b5f34 --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
@@ -0,0 +1,258 @@
		1	From 9122999252c7e21eb7774de11d539748e7bdf46d Mon Sep 17 00:00:00 2001
		2	From: Simon Josefsson <simon@josefsson.org>
		3	Date: Tue, 29 Aug 2023 06:42:11 +0000
		4	Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit.
		5
		6	CVE: CVE-2023-40303
		7
		8	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d]
		9
		10	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		11	---
		12	src/rcp.c \| 42 ++++++++++++++++++++++++------------------
		13	src/rlogin.c \| 12 ++++++------
		14	src/rsh.c \| 26 +++++++++++++-------------
		15	src/rshd.c \| 24 ++++++++++++------------
		16	src/uucpd.c \| 16 ++++++++--------
		17	5 files changed, 63 insertions(+), 57 deletions(-)
		18
		19	diff --git a/src/rcp.c b/src/rcp.c
		20	index 7018e35..e504f8a 100644
		21	--- a/src/rcp.c
		22	+++ b/src/rcp.c
		23	@@ -347,9 +347,10 @@ main (int argc, char *argv[])
		24	response ();
		25
		26	if (setuid (userid) == -1)
		27	- {
		28	- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		29	- }
		30	+ {
		31	+ error (EXIT_FAILURE, 0,
		32	+ "Could not drop privileges (setuid() failed)");
		33	+ }
		34
		35	source (argc, argv);
		36	exit (errs);
		37	@@ -358,9 +359,10 @@ main (int argc, char *argv[])
		38	if (to_option)
		39	{ /* Receive data. */
		40	if (setuid (userid) == -1)
		41	- {
		42	- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		43	- }
		44	+ {
		45	+ error (EXIT_FAILURE, 0,
		46	+ "Could not drop privileges (setuid() failed)");
		47	+ }
		48
		49	sink (argc, argv);
		50	exit (errs);
		51	@@ -548,9 +550,10 @@ toremote (char targ, int argc, char argv[])
		52	free (bp);
		53
		54	if (setuid (userid) == -1)
		55	- {
		56	- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		57	- }
		58	+ {
		59	+ error (EXIT_FAILURE, 0,
		60	+ "Could not drop privileges (setuid() failed)");
		61	+ }
		62	}
		63	source (1, argv + i);
		64	close (rem);
		65	@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[])
		66	}
		67
		68	if (seteuid (userid) == -1)
		69	- {
		70	- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
		71	- }
		72	+ {
		73	+ error (EXIT_FAILURE, 0,
		74	+ "Could not drop privileges (seteuid() failed)");
		75	+ }
		76
		77	#if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
		78	sslen = sizeof (ss);
		79	@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[])
		80	sink (1, vect);
		81
		82	if (seteuid (effuid) == -1)
		83	- {
		84	- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
		85	- }
		86	+ {
		87	+ error (EXIT_FAILURE, 0,
		88	+ "Could not drop privileges (seteuid() failed)");
		89	+ }
		90
		91	close (rem);
		92	rem = -1;
		93	@@ -1465,9 +1470,10 @@ susystem (char *s, int userid)
		94
		95	case 0:
		96	if (setuid (userid) == -1)
		97	- {
		98	- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		99	- }
		100	+ {
		101	+ error (EXIT_FAILURE, 0,
		102	+ "Could not drop privileges (setuid() failed)");
		103	+ }
		104
		105	execl (PATH_BSHELL, "sh", "-c", s, NULL);
		106	_exit (127);
		107	diff --git a/src/rlogin.c b/src/rlogin.c
		108	index 9bf9645..a0c1237 100644
		109	--- a/src/rlogin.c
		110	+++ b/src/rlogin.c
		111	@@ -648,14 +648,14 @@ try_connect:
		112	to get the privileged port that rcmd () uses. We now want, however,
		113	to run as the real user who invoked us. */
		114	if (seteuid (uid) == -1)
		115	- {
		116	- error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
		117	- }
		118	+ {
		119	+ error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
		120	+ }
		121
		122	if (setuid (uid) == -1)
		123	- {
		124	- error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		125	- }
		126	+ {
		127	+ error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
		128	+ }
		129
		130	doit (&osmask); /* The old mask will activate SIGURG and SIGUSR1! */
		131
		132	diff --git a/src/rsh.c b/src/rsh.c
		133	index 7b9cf22..c8f50d3 100644
		134	--- a/src/rsh.c
		135	+++ b/src/rsh.c
		136	@@ -278,14 +278,14 @@ main (int argc, char **argv)
		137	argv = (char ) "rlogin";
		138
		139	if (seteuid (getuid ()) == -1)
		140	- {
		141	- error (EXIT_FAILURE, errno, "seteuid() failed");
		142	- }
		143	-
		144	+ {
		145	+ error (EXIT_FAILURE, errno, "seteuid() failed");
		146	+ }
		147	+
		148	if (setuid (getuid ()) == -1)
		149	- {
		150	- error (EXIT_FAILURE, errno, "setuid() failed");
		151	- }
		152	+ {
		153	+ error (EXIT_FAILURE, errno, "setuid() failed");
		154	+ }
		155
		156	execv (PATH_RLOGIN, argv);
		157	error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
		158	@@ -551,14 +551,14 @@ try_connect:
		159	}
		160
		161	if (seteuid (uid) == -1)
		162	- {
		163	- error (EXIT_FAILURE, errno, "seteuid() failed");
		164	- }
		165	+ {
		166	+ error (EXIT_FAILURE, errno, "seteuid() failed");
		167	+ }
		168
		169	if (setuid (uid) == -1)
		170	- {
		171	- error (EXIT_FAILURE, errno, "setuid() failed");
		172	- }
		173	+ {
		174	+ error (EXIT_FAILURE, errno, "setuid() failed");
		175	+ }
		176
		177	#ifdef HAVE_SIGACTION
		178	sigemptyset (&sigs);
		179	diff --git a/src/rshd.c b/src/rshd.c
		180	index 707790e..df43edf 100644
		181	--- a/src/rshd.c
		182	+++ b/src/rshd.c
		183	@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
		184
		185	/* Set the gid, then uid to become the user specified by "locuser" */
		186	if (setegid ((gid_t) pwd->pw_gid) == -1)
		187	- {
		188	- rshd_error ("Cannot drop privileges (setegid() failed)\n");
		189	- exit (EXIT_FAILURE);
		190	- }
		191	+ {
		192	+ rshd_error ("Cannot drop privileges (setegid() failed)\n");
		193	+ exit (EXIT_FAILURE);
		194	+ }
		195
		196	if (setgid ((gid_t) pwd->pw_gid) == -1)
		197	- {
		198	- rshd_error ("Cannot drop privileges (setgid() failed)\n");
		199	- exit (EXIT_FAILURE);
		200	- }
		201	+ {
		202	+ rshd_error ("Cannot drop privileges (setgid() failed)\n");
		203	+ exit (EXIT_FAILURE);
		204	+ }
		205
		206	#ifdef HAVE_INITGROUPS
		207	initgroups (pwd->pw_name, pwd->pw_gid); /* BSD groups */
		208	@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
		209	#endif /* WITH_PAM */
		210
		211	if (setuid ((uid_t) pwd->pw_uid) == -1)
		212	- {
		213	- rshd_error ("Cannot drop privileges (setuid() failed)\n");
		214	- exit (EXIT_FAILURE);
		215	- }
		216	+ {
		217	+ rshd_error ("Cannot drop privileges (setuid() failed)\n");
		218	+ exit (EXIT_FAILURE);
		219	+ }
		220
		221	/* We'll execute the client's command in the home directory
		222	* of locuser. Note, that the chdir must be executed after
		223	diff --git a/src/uucpd.c b/src/uucpd.c
		224	index 29cfce3..afe24f3 100644
		225	--- a/src/uucpd.c
		226	+++ b/src/uucpd.c
		227	@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen)
		228	dologin (pw, sap, salen);
		229
		230	if (setgid (pw->pw_gid) == -1)
		231	- {
		232	- fprintf (stderr, "setgid() failed");
		233	- return;
		234	- }
		235	+ {
		236	+ fprintf (stderr, "setgid() failed");
		237	+ return;
		238	+ }
		239	#ifdef HAVE_INITGROUPS
		240	initgroups (pw->pw_name, pw->pw_gid);
		241	#endif
		242	@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen)
		243	}
		244
		245	if (setuid (pw->pw_uid) == -1)
		246	- {
		247	- fprintf (stderr, "setuid() failed");
		248	- return;
		249	- }
		250	+ {
		251	+ fprintf (stderr, "setuid() failed");
		252	+ return;
		253	+ }
		254
		255	execl (uucico_location, "uucico", NULL);
		256	perror ("uucico server: execl");
		257	--
		258	2.40.0


diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.4.bb b/meta/recipes-connectivity/inetutils/inetutils_2.4.bb index 6519331141..032c0d6b24 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.4.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.4.bb
@@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
21	file://tftpd.xinetd.inetutils \	21	file://tftpd.xinetd.inetutils \
22	file://inetutils-1.9-PATH_PROCNET_DEV.patch \	22	file://inetutils-1.9-PATH_PROCNET_DEV.patch \
23	file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \	23	file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
		24	file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \
		25	file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
24	"	26	"
25		27
26	inherit autotools gettext update-alternatives texinfo	28	inherit autotools gettext update-alternatives texinfo