diff options
author | Gregory Neil Shapiro <gshapiro@FreeBSD.org> | 2002-10-26 21:08:43 +0000 |
---|---|---|
committer | Gregory Neil Shapiro <gshapiro@FreeBSD.org> | 2002-10-26 21:08:43 +0000 |
commit | eeca4eb030dc222e60b8c907cddcc1a0528caf60 (patch) | |
tree | 761d985c960f6c7257d13fb93f6ba19c53c8c023 | |
parent | b9a77fa560afd98564b3060238a1d93001a62f72 (diff) | |
download | src-eeca4eb030dc222e60b8c907cddcc1a0528caf60.tar.gz src-eeca4eb030dc222e60b8c907cddcc1a0528caf60.zip |
MFC: Fix smrsh bypass bug.
Approved by: security-officer
Notes
Notes:
svn path=/releng/4.3/; revision=106003
-rw-r--r-- | UPDATING | 3 | ||||
-rw-r--r-- | contrib/sendmail/smrsh/smrsh.c | 33 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 |
3 files changed, 37 insertions, 1 deletions
@@ -16,6 +16,9 @@ minimal number of processes, if possible, for that patch. For those updates that don't have an advisory, or to be safe, you can do a full build and install as described in the COMMON ITEMS section. +20021026: p30 + smrsh bypass bug. + 20020710: p29 FreeBSD-SA-02:28.resolv resolver buffer overflow. diff --git a/contrib/sendmail/smrsh/smrsh.c b/contrib/sendmail/smrsh/smrsh.c index 9d45a92fc1c2..7c7292183c43 100644 --- a/contrib/sendmail/smrsh/smrsh.c +++ b/contrib/sendmail/smrsh/smrsh.c @@ -59,6 +59,8 @@ static char id[] = "@(#)$Id: smrsh.c,v 8.31.4.8 2001/01/22 19:00:26 gshapiro Exp #include <unistd.h> #include <stdio.h> #include <sys/file.h> +#include <sys/types.h> +#include <sys/stat.h> #include <string.h> #include <ctype.h> #include <errno.h> @@ -156,6 +158,7 @@ main(argc, argv) char cmdbuf[1000]; char pathbuf[1000]; char specialbuf[32]; + struct stat st; #ifndef DEBUG # ifndef LOG_MAIL @@ -292,6 +295,36 @@ main(argc, argv) #ifdef DEBUG printf("Trying %s\n", cmdbuf); #endif /* DEBUG */ + if (stat(cmdbuf, &st) < 0) + { + /* can't stat it */ + (void) fprintf(stderr, "%s: %s not available for sendmail programs (stat failed)\n", + prg, cmd); + if (p != NULL) + *p = ' '; +#ifndef DEBUG + syslog(LOG_CRIT, "uid %d: attempt to use %s (stat failed)", + (int) getuid(), cmd); +#endif /* ! DEBUG */ + exit(EX_UNAVAILABLE); + } + if (!S_ISREG(st.st_mode) +#ifdef S_ISLNK + && !S_ISLNK(st.st_mode) +#endif /* S_ISLNK */ + ) + { + /* can't stat it */ + (void) fprintf(stderr, "%s: %s not available for sendmail programs (not a file)\n", + prg, cmd); + if (p != NULL) + *p = ' '; +#ifndef DEBUG + syslog(LOG_CRIT, "uid %d: attempt to use %s (not a file)", + (int) getuid(), cmd); +#endif /* ! DEBUG */ + exit(EX_UNAVAILABLE); + } if (access(cmdbuf, X_OK) < 0) { /* oops.... crack attack possiblity */ diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index ec47e5a6ae2c..a7658d5cea83 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -36,7 +36,7 @@ TYPE="FreeBSD" REVISION="4.3" -BRANCH="RELEASE-p29" +BRANCH="RELEASE-p30" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" |