Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:Test
exim
CVE-2011-0017.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2011-0017.diff of Package exim
commit 1670ef10063d7708eb736a482d1ad25b9c59521d Author: Phil Pennock <pdp@exim.org> Date: Fri Jan 21 03:56:02 2011 -0500 Check return values of setgid/setuid. CVE-2011-0017 One assertion of the unimportance of checking the return value was wrong, in the event of a compromised exim run-time user. Index: exim-4.69/doc/ChangeLog =================================================================== --- exim-4.69.orig/doc/ChangeLog +++ exim-4.69/doc/ChangeLog @@ -3,6 +3,11 @@ $Cambridge: exim/exim-doc/doc-txt/Change Change log file for Exim from version 4.21 ------------------------------------------- +PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a + privilege escalation vulnerability whereby the Exim run-time user + can cause root to append content of the attacker's choosing to + arbitrary files. + Exim version 4.69 ----------------- Index: exim-4.69/doc/NewStuff =================================================================== --- exim-4.69.orig/doc/NewStuff +++ exim-4.69/doc/NewStuff @@ -8,6 +8,15 @@ Before a formal release, there may be qu test from the snapshots or the CVS before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version CVE-2011-0017 +--------------------- + + 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux) + the flaw permitted the Exim run-time user to cause root to append to + arbitrary files of the attacker's choosing, with the content based + on content supplied by the attacker. + + Version 4.68 ------------ Index: exim-4.69/src/exim.c =================================================================== --- exim-4.69.orig/src/exim.c +++ exim-4.69/src/exim.c @@ -1301,7 +1301,7 @@ int arg_error_handling = error_handling int filter_sfd = -1; int filter_ufd = -1; int group_count; -int i; +int i, rv; int list_queue_option = 0; int msg_action = 0; int msg_action_arg = -1; @@ -1620,8 +1620,20 @@ real_gid = getgid(); if (real_uid == root_uid) { - setgid(real_gid); - setuid(real_uid); + rv = setgid(real_gid); + if (rv) + { + fprintf(stderr, "exim: setgid(%ld) failed: %s\n", + (long int)real_gid, strerror(errno)); + exit(EXIT_FAILURE); + } + rv = setuid(real_uid); + if (rv) + { + fprintf(stderr, "exim: setuid(%ld) failed: %s\n", + (long int)real_uid, strerror(errno)); + exit(EXIT_FAILURE); + } } /* If neither the original real uid nor the original euid was root, Exim is @@ -3701,7 +3713,28 @@ if (!unprivileged && /* When we are retaining a privileged uid, we still change to the exim gid. */ -else setgid(exim_gid); +else + { + int rv; + rv = setgid(exim_gid); + /* Impact of failure is that some stuff might end up with an incorrect group. + We track this for failures from root, since any attempt to change privilege + by root should succeed and failures should be examined. For non-root, + there's no security risk. For me, it's { exim -bV } on a just-built binary, + no need to complain then. */ + if (rv == -1) + { + if (!unprivileged) + { + fprintf(stderr, + "exim: changing group failed: %s\n", strerror(errno)); + exit(EXIT_FAILURE); + } + else + debug_printf("changing group to %ld failed: %s\n", + (long int)exim_gid, strerror(errno)); + } + } /* Handle a request to list the delivery queue */ Index: exim-4.69/src/log.c =================================================================== --- exim-4.69.orig/src/log.c +++ exim-4.69/src/log.c @@ -343,17 +343,26 @@ are neither exim nor root, creation is n else if (euid == root_uid) { - int status; + int status, rv; pid_t pid = fork(); /* In the subprocess, change uid/gid and do the creation. Return 0 from the - subprocess on success. There doesn't seem much point in testing for setgid - and setuid errors. */ + subprocess on success. If we don't check for setuid failures, then the file + can be created as root, so vulnerabilities which cause setuid to fail mean + that the Exim user can use symlinks to cause a file to be opened/created as + root. We always open for append, so can't nuke existing content but it would + still be Rather Bad. */ if (pid == 0) { - (void)setgid(exim_gid); - (void)setuid(exim_uid); + rv = setgid(exim_gid); + if (rv) + die(US"exim: setgid for log-file creation failed, aborting", + US"Unexpected log failure, please try later"); + rv = setuid(exim_uid); + if (rv) + die(US"exim: setuid for log-file creation failed, aborting", + US"Unexpected log failure, please try later"); _exit((create_log(buffer) < 0)? 1 : 0); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor