Check return values from setuid, prompted by MIT
advisory. Thanks to Tom Yu at MIT, and Michael Calmer and Marcus Meissner at SUSE. Either of CVE-2006-3083 or CVE-2006-3084. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17878 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -119,13 +119,15 @@ main(int argc, char **argv)
|
|||||||
|
|
||||||
if (fflag) { /* Follow "protocol", send data. */
|
if (fflag) { /* Follow "protocol", send data. */
|
||||||
response();
|
response();
|
||||||
setuid(userid);
|
if (setuid(userid) < 0)
|
||||||
|
errx(1, "setuid failed");
|
||||||
source(argc, argv);
|
source(argc, argv);
|
||||||
exit(errs);
|
exit(errs);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tflag) { /* Receive data. */
|
if (tflag) { /* Receive data. */
|
||||||
setuid(userid);
|
if (setuid(userid) < 0)
|
||||||
|
errx(1, "setuid failed");
|
||||||
sink(argc, argv);
|
sink(argc, argv);
|
||||||
exit(errs);
|
exit(errs);
|
||||||
}
|
}
|
||||||
@@ -221,7 +223,8 @@ toremote(char *targ, int argc, char **argv)
|
|||||||
if (response() < 0)
|
if (response() < 0)
|
||||||
exit(1);
|
exit(1);
|
||||||
free(bp);
|
free(bp);
|
||||||
setuid(userid);
|
if (setuid(userid) < 0)
|
||||||
|
errx(1, "setuid failed");
|
||||||
}
|
}
|
||||||
source(1, argv+i);
|
source(1, argv+i);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -112,7 +112,8 @@ susystem(s, userid)
|
|||||||
return (127);
|
return (127);
|
||||||
|
|
||||||
case 0:
|
case 0:
|
||||||
(void)setuid(userid);
|
if (setuid(userid) < 0)
|
||||||
|
_exit(127);
|
||||||
execl(_PATH_BSHELL, "sh", "-c", s, NULL);
|
execl(_PATH_BSHELL, "sh", "-c", s, NULL);
|
||||||
_exit(127);
|
_exit(127);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user