Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-9]: src/libexec/mail.local Pull up following revision(s) (request...



details:   https://anonhg.NetBSD.org/src/rev/81b018c611c0
branches:  netbsd-9
changeset: 366190:81b018c611c0
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Tue May 17 12:10:25 2022 +0000

description:
Pull up following revision(s) (requested by kre in ticket #1455):
        libexec/mail.local/mail.local.c: revision 1.29
fix local privilege escalation due to a race condition
NetBSD-SA2016-006 included an incomplete fix for CVE-2016-6253,
a local privilege escalation vulnerability in mail.local(8).
mail.local(8) attempts to open(2) a user's existing mailbox file
to append to it.  If that call fails, mail.local(8) will then issue
a second open(2) call to create the file (O_CREAT).
An attacker had the opportunity to create the file in question (as
a symlink, or link to some other file) in between these two open(2) calls.
Fix this by using O_EXCL in the 2nd open call, if the file exists when
that one happens, something is going wrong, so just abort.  Also, only
attempt that 2nd open if the reason the first failed was that the file
did not exist (this doesn't fix the issue, but it potentially saves
some cycles).
Thanks to Jan Schaumann for bringing this to our attention.

diffstat:

 libexec/mail.local/mail.local.c |  11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diffs (34 lines):

diff -r cb4a979fb7c3 -r 81b018c611c0 libexec/mail.local/mail.local.c
--- a/libexec/mail.local/mail.local.c   Tue May 17 10:30:22 2022 +0000
+++ b/libexec/mail.local/mail.local.c   Tue May 17 12:10:25 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: mail.local.c,v 1.28 2016/07/21 12:29:37 shm Exp $      */
+/*     $NetBSD: mail.local.c,v 1.28.16.1 2022/05/17 12:10:25 bouyer Exp $      */
 
 /*-
  * Copyright (c) 1990, 1993, 1994
@@ -36,7 +36,7 @@
 #if 0
 static char sccsid[] = "@(#)mail.local.c       8.22 (Berkeley) 6/21/95";
 #else
-__RCSID("$NetBSD: mail.local.c,v 1.28 2016/07/21 12:29:37 shm Exp $");
+__RCSID("$NetBSD: mail.local.c,v 1.28.16.1 2022/05/17 12:10:25 bouyer Exp $");
 #endif
 #endif /* not lint */
 
@@ -217,11 +217,12 @@
                return(EX_OSERR);
        }
        
-       if ((mbfd = open(path, O_APPEND|O_WRONLY|O_EXLOCK,
+       if ((mbfd = open(path, O_APPEND|O_WRONLY|O_EXLOCK|O_NOFOLLOW,
            S_IRUSR|S_IWUSR)) == -1) {
                /* create file */
-               if ((mbfd = open(path, O_APPEND|O_CREAT|O_WRONLY|O_EXLOCK,
-                   S_IRUSR|S_IWUSR)) == -1) {
+               if (errno != ENOENT ||
+                  (mbfd = open(path, O_APPEND|O_CREAT|O_WRONLY|O_EXLOCK|O_EXCL,
+                    S_IRUSR|S_IWUSR)) == -1) {
                        logwarn("%s: %s", path, strerror(errno));
                        rval = EX_OSERR;
                        goto bad;



Home | Main Index | Thread Index | Old Index