[Pkg-coolkey-commits] r25 - in /coolkey/trunk/debian/patches: 00list 06_machdep_cpp_CVE-2007-4129.dpatch
rousseau at users.alioth.debian.org
rousseau at users.alioth.debian.org
Sun Jan 6 17:14:56 UTC 2008
Author: rousseau
Date: Sun Jan 6 17:14:56 2008
New Revision: 25
URL: http://svn.debian.org/wsvn/pkg-coolkey/?sc=1&rev=25
Log:
add fix for CVE-2007-4129 that was present in the .diff.gz instead of a
dpatch
Added:
coolkey/trunk/debian/patches/06_machdep_cpp_CVE-2007-4129.dpatch (with props)
Modified:
coolkey/trunk/debian/patches/00list
Modified: coolkey/trunk/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-coolkey/coolkey/trunk/debian/patches/00list?rev=25&op=diff
==============================================================================
--- coolkey/trunk/debian/patches/00list (original)
+++ coolkey/trunk/debian/patches/00list Sun Jan 6 17:14:56 2008
@@ -3,3 +3,4 @@
03_machdep_cpp.dpatch
04_object_cpp.dpatch
05_slot_cpp.dpatch
+06_machdep_cpp_CVE-2007-4129.dpatch
Added: coolkey/trunk/debian/patches/06_machdep_cpp_CVE-2007-4129.dpatch
URL: http://svn.debian.org/wsvn/pkg-coolkey/coolkey/trunk/debian/patches/06_machdep_cpp_CVE-2007-4129.dpatch?rev=25&op=file
==============================================================================
--- coolkey/trunk/debian/patches/06_machdep_cpp_CVE-2007-4129.dpatch (added)
+++ coolkey/trunk/debian/patches/06_machdep_cpp_CVE-2007-4129.dpatch Sun Jan 6 17:14:56 2008
@@ -1,0 +1,180 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 06_machdep_cpp_CVE-2007-4129.dpatch by <rousseau at imac.maison.bogus>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: fix for CVE-2007-4129 - correct cache file handling
+
+ at DPATCH@
+diff -urNad coolkey-1.1.0~/src/coolkey/machdep.cpp coolkey-1.1.0/src/coolkey/machdep.cpp
+--- coolkey-1.1.0~/src/coolkey/machdep.cpp 2007-02-14 01:46:28.000000000 +0100
++++ coolkey-1.1.0/src/coolkey/machdep.cpp 2008-01-06 18:11:04.000000000 +0100
+@@ -185,12 +185,20 @@
+ #define MAP_INHERIT 0
+ #endif
+
++#ifndef BASEPATH
++#ifdef MAC
++#define BASEPATH "/var"
++#else
++#define BASEPATH "/var/cache"
++#endif
++#endif
++
+ #ifdef FULL_CLEANUP
+ #define RESERVED_OFFSET 256
+-#define MEMSEGPATH "/tmp/.pk11ipc"
++#define MEMSEGPATH BASEPATH"/coolkey-lock"
+ #else
+ #define RESERVED_OFFSET 0
+-#define MEMSEGPATH "/tmp/.pk11ipc1"
++#define MEMSEGPATH BASEPATH"/coolkey"
+ #endif
+
+ struct SHMemData {
+@@ -208,11 +216,6 @@
+ #ifdef FULL_CLEANUP
+ flock(fd,LOCK_EX);
+ unsigned long ref = --(*(unsigned long *)addr);
+-#ifdef notdef
+- if (ref == 0) {
+- unlink(path);
+- }
+-#endif
+ flock(fd, LOCK_UN);
+ #endif
+ munmap(addr,size+RESERVED_OFFSET);
+@@ -225,6 +228,73 @@
+ }
+ }
+
++/*
++ * The cache directory is shared and accessible by anyone, make
++ * sure the cache file we are opening is really a valid cache file.
++ */
++int safe_open(char *path, int flags, int mode, int size)
++{
++ struct stat buf;
++ int fd, ret;
++
++ fd = open (path, flags|O_NOFOLLOW, mode);
++
++ if (fd < 0) {
++ return fd;
++ }
++
++ ret = fstat(fd, &buf);
++ if (ret < 0) {
++ close (fd);
++ return ret;
++ }
++
++ /* our cache files are pretty specific, make sure we are looking
++ * at the correct one */
++
++ /* first, we should own the file ourselves, don't open a file
++ * that someone else wanted us to see. */
++ if (buf.st_uid != getuid()) {
++ close(fd);
++ errno = EACCES;
++ return -1;
++ }
++
++ /* next, there should only be one link in this file. Don't
++ * use this code to trash another file */
++ if (buf.st_nlink != 1) {
++ close(fd);
++ errno = EMLINK;
++ return -1;
++ }
++
++ /* next, This better be a regular file */
++ if (!S_ISREG(buf.st_mode)) {
++ close(fd);
++ errno = EACCES;
++ return -1;
++ }
++
++ /* if the permissions don't match, something is wrong */
++ if ((buf.st_mode & 03777) != mode) {
++ close(fd);
++ errno = EACCES;
++ return -1;
++ }
++
++ /* finally the file should be the correct size. This
++ * check isn't so much to protect from an attack, as it is to
++ * detect a corrupted cache file */
++ if (buf.st_size != size) {
++ close(fd);
++ errno = EACCES;
++ return -1;
++ }
++
++ /* OK, the file checked out, ok to continue */
++ return fd;
++}
++
+ SHMem::SHMem(): shmemData(0) {}
+
+ SHMem *
+@@ -248,7 +318,7 @@
+ return NULL;
+ }
+ int mask = umask(0);
+- int ret = mkdir (MEMSEGPATH, 0777);
++ int ret = mkdir (MEMSEGPATH, 1777);
+ umask(mask);
+ if ((ret == -1) && (errno != EEXIST)) {
+ delete shmemData;
+@@ -264,21 +334,16 @@
+ shmemData->path[sizeof(MEMSEGPATH)-1] = '/';
+ strcpy(&shmemData->path[sizeof(MEMSEGPATH)],name);
+
+- int mode = 0777;
+- if (strcmp(name,"token_names") != 0) {
+- /* each user gets his own uid array */
+- sprintf(uid_str, "-%u",getuid());
+- strcat(shmemData->path,uid_str);
+- mode = 0700;
+- }
++ sprintf(uid_str, "-%u",getuid());
++ strcat(shmemData->path,uid_str);
++ int mode = 0600;
++
+ shmemData->fd = open(shmemData->path,
+ O_CREAT|O_RDWR|O_EXCL|O_APPEND|O_EXLOCK, mode);
+- if (shmemData->fd < 0) {
+- needInit = false;
+- shmemData->fd = open(shmemData->path,O_RDWR|O_EXLOCK, mode);
+- } else {
++ if (shmemData->fd >= 0) {
+ char *buf;
+ int len = size+RESERVED_OFFSET;
++ int ret;
+
+ buf = (char *)calloc(1,len);
+ if (!buf) {
+@@ -289,8 +354,22 @@
+ delete shmemData;
+ return NULL;
+ }
+- write(shmemData->fd,buf,len);
++ ret = write(shmemData->fd,buf,len);
++ if (ret != len) {
++ unlink(shmemData->path);
++#ifdef FULL_CLEANUP
++ flock(shmemData->fd, LOCK_UN);
++#endif
++ delete shmemData;
++ return NULL;
++ }
++
+ free(buf);
++ } else if (errno == EEXIST) {
++ needInit = false;
++
++ shmemData->fd = safe_open(shmemData->path,O_RDWR|O_EXLOCK, mode,
++ size+RESERVED_OFFSET);
+ }
+ if (shmemData->fd < 0) {
+ delete shmemData;
Propchange: coolkey/trunk/debian/patches/06_machdep_cpp_CVE-2007-4129.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-coolkey-commits
mailing list