Overview

File CVE-2011-1837.patch of Package ecryptfs-utils.import4986

Description: fix arbitrary file overwrite via lock counter race condition
Author: Marc Deslauriers <marc.deslauriers@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/732628

Index: ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c
===================================================================
--- ecryptfs-utils-83.orig/src/utils/mount.ecryptfs_private.c
+++ ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c
@@ -307,26 +307,27 @@ FILE *lock_counter(char *u, int uid) {
 	 * file, or it's not owned by the current user, append iterator
 	 * until we find a filename we can use.
 	 */
-	while (1) {
-		if (stat(f, &s)==0 && (!S_ISREG(s.st_mode) || s.st_uid!=uid)) {
-			free(f);
+	while (i < 50) {
+		if (((fd = open(f, O_RDWR | O_CREAT | O_NOFOLLOW, 0600)) >= 0) &&
+		    (fstat(fd, &s)==0 && (S_ISREG(s.st_mode) && s.st_uid==uid))) {
+			break;
+		} else {
+			if (fd >= 0)
+				close(fd);
+			free (f);
 			if (asprintf(&f, "%s/%s-%s-%s-%d", TMP, FSTYPE, u,
 			    ECRYPTFS_PRIVATE_DIR, i++) < 0) {
 				perror("asprintf");
 				return NULL;
 			}
-		} else {
-			break;
 		}
 	}
-	/* open file for reading and writing */
-	if ((fd = open(f, O_RDWR)) < 0) {
-		/* Could not open it, so try to safely create it */
-		if ((fd = open(f, O_RDWR | O_CREAT | O_EXCL, 0600)) < 0) {
-			perror("open");
-			return NULL;
-		}
+
+	if (fd < 0) {
+		perror("open");
+		return NULL;
 	}
+
 	flock(fd, LOCK_EX);
 	fh = fdopen(fd, "r+");
 	if (fh == NULL) {
openSUSE Build Service is sponsored by
Places