Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
libXpm.30890
U_0005-Fix-CVE-2022-4883-compression-commands-d...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch of Package libXpm.30890
From 082a080672c3b8a964aa8100bee41930e12b03fa Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Fri, 6 Jan 2023 12:50:48 -0800 Subject: [PATCH libXpm 5/5] Fix CVE-2022-4883: compression commands depend on $PATH By default, on all platforms except MinGW, libXpm will detect if a filename ends in .Z or .gz, and will when reading such a file fork off an uncompress or gunzip command to read from via a pipe, and when writing such a file will fork off a compress or gzip command to write to via a pipe. In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH to find the commands. If libXpm is called from a program running with raised privileges, such as via setuid, then a malicious user could set $PATH to include programs of their choosing to be run with those privileges. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- README.md | 12 ++++++++++++ configure.ac | 14 ++++++++++++++ src/RdFToI.c | 17 ++++++++++++++--- src/WrFFrI.c | 4 ++-- 4 files changed, 42 insertions(+), 5 deletions(-) Index: libXpm-3.5.12/README.md =================================================================== --- libXpm-3.5.12.orig/README.md +++ libXpm-3.5.12/README.md @@ -31,3 +31,15 @@ if it can't find the file it was asked t --enable-open-zfile feature to open the file, and is enabled by default when --enable-open-zfile is enabled, and can be disabled by passing the --disable-stat-zfile flag to the configure script. + +All of these commands will be executed with whatever userid & privileges the +function is called with, relying on the caller to ensure the correct euid, +egid, etc. are set before calling. + +To reduce risk, the paths to these commands are now set at configure time to +the first version found in the PATH used to run configure, and do not depend +on the PATH environment variable set at runtime. + +To specify paths to be used for these commands instead of searching $PATH, pass +the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP +variables to the configure command. Index: libXpm-3.5.12/configure.ac =================================================================== --- libXpm-3.5.12.orig/configure.ac +++ libXpm-3.5.12/configure.ac @@ -48,6 +48,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then fi AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") +dnl Helper macro to find absolute path to program and add a #define for it +AC_DEFUN([XPM_PATH_PROG],[ +AC_PATH_PROG([$1], [$2], []) +AS_IF([test "x$$1" = "x"], + [AC_MSG_ERROR([$2 not found, set $1 or use --disable-open-zfile])]) +AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) +]) dnl End of AC_DEFUN([XPM_PATH_PROG]... + # Optional feature: When a filename ending in .Z or .gz is requested, # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to # handle it. @@ -63,6 +71,11 @@ AC_ARG_ENABLE(open-zfile, AC_MSG_RESULT([$OPEN_ZFILE]) if test x$OPEN_ZFILE = xno ; then AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) +else + XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) + XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) + XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) + AC_CHECK_FUNCS([closefrom close_range], [break]) fi # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz Index: libXpm-3.5.12/src/RdFToI.c =================================================================== --- libXpm-3.5.12.orig/src/RdFToI.c +++ libXpm-3.5.12/src/RdFToI.c @@ -43,6 +43,7 @@ #include <errno.h> #include <sys/types.h> #include <sys/wait.h> +#include <unistd.h> #else #ifdef FOR_MSW #include <fcntl.h> @@ -161,7 +162,17 @@ xpmPipeThrough( goto err; if ( 0 == pid ) { - execlp(cmd, cmd, arg1, (char *)NULL); +#ifdef HAVE_CLOSEFROM + closefrom(3); +#elif defined(HAVE_CLOSE_RANGE) +# ifdef CLOSE_RANGE_UNSHARE +# define close_range_flags CLOSE_RANGE_UNSHARE +# else +# define close_range_flags 0 +#endif + close_range(3, ~0U, close_range_flags); +#endif + execl(cmd, cmd, arg1, (char *)NULL); perror(cmd); goto err; } @@ -235,12 +246,12 @@ OpenReadFile( if ( ext && !strcmp(ext, ".Z") ) { mdata->type = XPMPIPE; - mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r"); } else if ( ext && !strcmp(ext, ".gz") ) { mdata->type = XPMPIPE; - mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); } else #endif /* z-files */ Index: libXpm-3.5.12/src/WrFFrI.c =================================================================== --- libXpm-3.5.12.orig/src/WrFFrI.c +++ libXpm-3.5.12/src/WrFFrI.c @@ -336,10 +336,10 @@ OpenWriteFile( #ifndef NO_ZPIPE len = strlen(filename); if (len > 2 && !strcmp(".Z", filename + (len - 2))) { - mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); - mdata->type = XPMPIPE; + /* No compress program available (any longer?) on Linux */ + mdata->stream.file = NULL; } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { - mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); mdata->type = XPMPIPE; } else #endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor