diff options
author | root <root@rshg054.dnsready.net> | 2011-10-31 23:14:48 +0000 |
---|---|---|
committer | root <root@rshg054.dnsready.net> | 2011-10-31 23:14:48 +0000 |
commit | 560562e36a27da267f2f4f7989806790192888ef (patch) | |
tree | f2ce7f5442dd17943646b3844614c48750704018 /testing/xorg-server/git-fixes.patch | |
parent | f935ebf41c626e4832f86c5f3f7ed1cc35128f6b (diff) |
Mon Oct 31 23:14:48 UTC 2011
Diffstat (limited to 'testing/xorg-server/git-fixes.patch')
-rw-r--r-- | testing/xorg-server/git-fixes.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/testing/xorg-server/git-fixes.patch b/testing/xorg-server/git-fixes.patch new file mode 100644 index 000000000..a62524bdb --- /dev/null +++ b/testing/xorg-server/git-fixes.patch @@ -0,0 +1,56 @@ +From f80d23357874db19bc124dee70239fb182977883 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu.herrb@laas.fr> +Date: Mon, 17 Oct 2011 20:26:12 +0000 +Subject: Fix CVE-2011-4028: File disclosure vulnerability. + +use O_NOFOLLOW to open the existing lock file, so symbolic links +aren't followed, thus avoid revealing if it point to an existing +file. + +Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +(cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34) +--- +diff --git a/os/utils.c b/os/utils.c +index 36cb46f..9e0acb6 100644 +--- a/os/utils.c ++++ b/os/utils.c +@@ -316,7 +316,7 @@ LockServer(void) + /* + * Read the pid from the existing file + */ +- lfd = open(LockFile, O_RDONLY); ++ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW); + if (lfd < 0) { + unlink(tmp); + FatalError("Can't read lock file %s\n", LockFile); +-- +cgit v0.9.0.2-2-gbebe +From 12f65819ffb04103f170ecd7e281348de618fc4c Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu.herrb@laas.fr> +Date: Mon, 17 Oct 2011 20:27:35 +0000 +Subject: Fix CVE-2011-4029: File permission change vulnerability. + +Use fchmod() to change permissions of the lock file instead +of chmod(), thus avoid the race that can be exploited to set +a symbolic link to any file or directory in the system. + +Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +(cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4) +--- +diff --git a/os/utils.c b/os/utils.c +index 9e0acb6..d9aa65e 100644 +--- a/os/utils.c ++++ b/os/utils.c +@@ -295,7 +295,7 @@ LockServer(void) + FatalError("Could not create lock file in %s\n", tmp); + (void) sprintf(pid_str, "%10ld\n", (long)getpid()); + (void) write(lfd, pid_str, 11); +- (void) chmod(tmp, 0444); ++ (void) fchmod(lfd, 0444); + (void) close(lfd); + + /* +-- +cgit v0.9.0.2-2-gbebe |