File 0001-util-never-follow-symlinks-in-rm_rf_childr... of Package systemd

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-util-never-follow-symlinks-in-rm_rf_children.patch of Package systemd

From 5ebff5337594d690b322078c512eb222d34aaa82 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Fri, 2 Mar 2012 10:39:10 +0100
Subject: [PATCH] util: never follow symlinks in rm_rf_children()

The function checks if the entry is a directory before recursing, but
there is a window between the check and the open, during which the
directory could be replaced with a symlink.

CVE-2012-1174
https://bugzilla.redhat.com/show_bug.cgi?id=803358
---
 src/util.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/util.c b/src/util.c
index 20cbc2b..dfc1dc6 100644
--- a/src/util.c
+++ b/src/util.c
@@ -3593,7 +3593,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {
                 if (is_dir) {
                         int subdir_fd;
 
-                        if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) {
+                        subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW);
+                        if (subdir_fd < 0) {
                                 if (ret == 0 && errno != ENOENT)
                                         ret = -errno;
                                 continue;
-- 
1.7.7

From c9d8629baa09f853fbcc44972c9748e70562270c Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 22 Mar 2012 01:43:36 +0100
Subject: [PATCH] logind: extend comment about X11 socket symlink

---
 src/login/logind-session.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/src/login/logind-session.c b/src/login/logind-session.c
index af9c12d..4e0af86 100644
--- a/src/login/logind-session.c
+++ b/src/login/logind-session.c
@@ -391,6 +391,10 @@ static int session_link_x11_socket(Session *s) {
                 return -ENOENT;
         }
 
+        /* Note that this cannot be in a subdir to avoid
+         * vulnerabilities since we are privileged but the runtime
+         * path is owned by the user */
+
         t = strappend(s->user->runtime_path, "/X11-display");
         if (!t) {
                 log_error("Out of memory");
-- 
1.7.7

Places

File 0001-util-never-follow-symlinks-in-rm_rf_children.patch of Package systemd

Places