Overview

File cve-2013-4559.patch of Package lighttpd.openSUSE_13.1_Update

origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt

commit d22f4164a9e26c252e1874a29ba658eec85a3ddc
Author: Stefan Bühler <stbuehler@web.de>
Date:   Sun Nov 10 19:00:08 2013 +0100

    [core] check success of setuid,setgid,setgroups

Index: lighttpd-1.4.33/src/server.c
===================================================================
--- lighttpd-1.4.33.orig/src/server.c	2013-11-13 02:36:01.510535924 +0000
+++ lighttpd-1.4.33/src/server.c	2013-11-13 02:36:01.510535924 +0000
@@ -820,8 +820,14 @@
 		 * to /etc/group
 		 * */
 		if (NULL != grp) {
-			setgid(grp->gr_gid);
-			setgroups(0, NULL);
+			if (-1 == setgid(grp->gr_gid)) {
+				log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno));
+				return -1;
+			}
+			if (-1 == setgroups(0, NULL)) {
+				log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno));
+				return -1;
+			}
 			if (srv->srvconf.username->used) {
 				initgroups(srv->srvconf.username->ptr, grp->gr_gid);
 			}
@@ -844,7 +850,10 @@
 #ifdef HAVE_PWD_H
 		/* drop root privs */
 		if (NULL != pwd) {
-			setuid(pwd->pw_uid);
+			if (-1 == setuid(pwd->pw_uid)) {
+				log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno));
+				return -1;
+			}
 		}
 #endif
 #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)
openSUSE Build Service is sponsored by
Places