rpms/mod_auth_shadow/devel mod_auth_shadow-2.2-CVE-2010-1151.patch, NONE, 1.1 mod_auth_shadow.spec, 1.7, 1.8

Fri Apr 9 12:37:32 UTC 2010

Author: jreznik

Update of /cvs/pkgs/rpms/mod_auth_shadow/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv25988

Modified Files:
	mod_auth_shadow.spec 
Added Files:
	mod_auth_shadow-2.2-CVE-2010-1151.patch 
Log Message:
* Fri Apr 09 2010 Jaroslav Reznik <jreznik at redhat.com> - 2.2-8
- CVE-2010-1151: bad wait(2) call causes randomized authorization (#578168)


mod_auth_shadow-2.2-CVE-2010-1151.patch:
 mod_auth_shadow.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- NEW FILE mod_auth_shadow-2.2-CVE-2010-1151.patch ---
diff -up mod_auth_shadow-2.2/mod_auth_shadow.c.CVE-2010-1151 mod_auth_shadow-2.2/mod_auth_shadow.c
--- mod_auth_shadow-2.2/mod_auth_shadow.c.CVE-2010-1151	2007-04-02 17:38:27.000000000 +0200
+++ mod_auth_shadow-2.2/mod_auth_shadow.c	2010-04-09 14:26:05.949633122 +0200
@@ -144,6 +144,7 @@ static int auth_shadow_authorize(const c
     int filedes[2];  /* fd's for pipe.  Read from 0, write to 1*/
     char validate_prog[255];
     int ret, status;
+    int cpid;
     FILE* fp;
 
     if (strlen(INSTBINDIR) > 240) {
@@ -192,6 +193,9 @@ static int auth_shadow_authorize(const c
 
     /* Parent */
 
+    /* Save child pid - we must only accept answers from it */
+    cpid = ret;
+
     /* We write to the pipe, then wait for the child to finish. */
     fp = fdopen(filedes[1],"w");
     if (!fp) {
@@ -209,12 +213,17 @@ static int auth_shadow_authorize(const c
         return(-1);
     }
 
-    ret = wait(&status);
-    if (ret==0 || ret==-1) {
+    ret = waitpid(cpid, &status, 0);
+    if (ret==-1) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, errno, r->server,
         "%s: Error while waiting for child: %d.",module_name, errno);
         return(-1);
     }
+    if (ret==0 || ret!=cpid) {
+        ap_log_error(APLOG_MARK, APLOG_EMERG, errno, r->server,
+        "%s: Failure waiting for child (none or wrong child returned): %d.",module_name, ret);
+        return(-1);
+    }
 
     if (status==0)
         return 1;  /* Correct pw */
@@ -307,7 +316,7 @@ static int user_in_group (char *user, co
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
-       "%s: Looking in group file for %d: got user: %s", module_name, 
+       "%s: Looking in group file for %s: got user: %s", module_name, 
 		groupname, user);
 
     // Get group information from group file using re-entrant


Index: mod_auth_shadow.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_auth_shadow/devel/mod_auth_shadow.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- mod_auth_shadow.spec	25 Jul 2009 14:43:31 -0000	1.7
+++ mod_auth_shadow.spec	9 Apr 2010 12:37:32 -0000	1.8
@@ -1,8 +1,9 @@
 Name:		mod_auth_shadow
 Version:	2.2
-Release:	7%{?dist}
+Release:	8%{?dist}
 Source:		http://downloads.sourceforge.net/mod-auth-shadow/%{name}-%{version}.tar.gz
 Source1:	mod_auth_shadow.conf
+Patch0:		mod_auth_shadow-2.2-CVE-2010-1151.patch
 URL:		http://mod-auth-shadow.sourceforge.net
 License:	GPLv2+
 Group:		System Environment/Daemons
@@ -29,6 +30,8 @@ sed -i 's#/usr/local#/usr#' makefile
 sed -i 's/chown/#chown/' makefile
 sed -i 's/chmod/#chmod/' makefile
 
+%patch0 -p1 -b .CVE-2010-1151
+
 %build
 gcc -o validate validate.c -lcrypt
 make %{?_smp_mflags} all
@@ -53,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT
 %doc CHANGES INSTALL README COPYING
 
 %changelog
+* Fri Apr 09 2010 Jaroslav Reznik <jreznik at redhat.com> - 2.2-8
+- CVE-2010-1151: bad wait(2) call causes randomized authorization (#578168)
+
 * Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.2-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
 

