[krb5-appl] ftpd: add candidate patch to detect setegid/setregid/setresgid and check for errors when calling the

Nalin Dahyabhai nalin at fedoraproject.org
Tue Jul 5 18:20:25 UTC 2011 

commit d8783f223f2efa802de5122c7ee5a5da883eb0dd
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Tue Jul 5 14:19:45 2011 -0400

    ftpd: add candidate patch to detect setegid/setregid/setresgid and check
    for errors when calling them (MITKRB5-SA-2011-005, CVE-2011-1526)

 krb5-appl-1.0-pam.patch        |    4 +-
 krb5-appl-1.0.1-2011-005.patch |   58 ++++++++++++++++++++++++++++++++++++++++
 krb5-appl.spec                 |    8 +++++-
 3 files changed, 67 insertions(+), 3 deletions(-)
---
diff --git a/krb5-appl-1.0-pam.patch b/krb5-appl-1.0-pam.patch
index cc38621..2cc2faf 100644
--- a/krb5-appl-1.0-pam.patch
+++ b/krb5-appl-1.0-pam.patch
@@ -1012,8 +1012,8 @@ diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam krb5-appl-1.0/gssftp/ftpd/ftpd.c
 +	}
 +#endif
  
- 	(void) krb5_setegid((gid_t)pw->pw_gid);
- 	(void) initgroups(pw->pw_name, pw->pw_gid);
+ 	if (krb5_setegid((gid_t)pw->pw_gid) < 0) {
+ 		reply(550, "Can't set egid.");
 @@ -1966,6 +2028,10 @@ dologout(status)
  		krb5_cc_destroy(kcontext, ccache);
  #endif
diff --git a/krb5-appl-1.0.1-2011-005.patch b/krb5-appl-1.0.1-2011-005.patch
new file mode 100644
index 0000000..9c44662
--- /dev/null
+++ b/krb5-appl-1.0.1-2011-005.patch
@@ -0,0 +1,58 @@
+diff --git a/configure.ac b/configure.ac
+index 86e23f1..2fe68ad 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -107,6 +107,7 @@ AC_CHECK_FUNCS(_getpty cgetent getcwd getenv gettosbyname getusershell getutmp)
+ AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg)
+ AC_CHECK_FUNCS(line_push ptsname revoke rmufile rresvport_af)
+ AC_CHECK_FUNCS(seteuid setlogin setpgid setpriority setresuid setreuid)
++AC_CHECK_FUNCS(setegid setregid setresgid)
+ AC_CHECK_FUNCS(setutent setutsent setutxent strsave tcgetpgrp tcsetpgrp)
+ AC_CHECK_FUNCS(ttyname unsetenv updwtmp updwtmpx utimes utmpname utmpxname)
+ AC_CHECK_FUNCS(vhangup vsnprintf waitpid)
+diff --git a/gssftp/ftpd/ftpd.c b/gssftp/ftpd/ftpd.c
+index fe62a9c..a150819 100644
+--- a/gssftp/ftpd/ftpd.c
++++ b/gssftp/ftpd/ftpd.c
+@@ -994,9 +994,14 @@ login(passwd, logincode)
+ #endif
+ 	}
+ 
+-	(void) krb5_setegid((gid_t)pw->pw_gid);
+-	(void) initgroups(pw->pw_name, pw->pw_gid);
+-
++	if (krb5_setegid((gid_t)pw->pw_gid) < 0) {
++		reply(550, "Can't set egid.");
++		goto bad;
++	}
++	if (geteuid() == 0 && initgroups(pw->pw_name, pw->pw_gid) < 0) {
++		reply(550, "Can't initgroups");
++		goto bad;
++	}
+ 	/* open wtmp before chroot */
+ 	(void) snprintf(ttyline, sizeof(ttyline), "ftp%ld", (long) getpid());
+ 	pty_logwtmp(ttyline, pw->pw_name, rhost_sane);
+diff --git a/k5-util.h b/k5-util.h
+index 7bb8cfb..64cd53d 100644
+--- a/k5-util.h
++++ b/k5-util.h
+@@ -69,8 +69,7 @@
+ #elif defined(HAVE_SETREUID)
+ #  define krb5_seteuid(EUID)	setreuid(geteuid(), (uid_t)(EUID))
+ #else
+-   /* You need to add a case to deal with this operating system.*/
+-#  define krb5_seteuid(EUID)	(errno = EPERM, -1)
++#  error "You need to add a case to deal with this operating system."
+ #endif
+ 
+ #ifdef HAVE_SETEGID
+@@ -80,8 +79,7 @@
+ #elif defined(HAVE_SETREGID)
+ #  define krb5_setegid(EGID)	(setregid(getegid(), (gid_t)(EGID)))
+ #else
+-   /* You need to add a case to deal with this operating system.*/
+-#  define krb5_setegid(EGID)	(errno = EPERM, -1)
++#  error "You need to add a case to deal with this operating system."
+ #endif
+ 
+ #endif
diff --git a/krb5-appl.spec b/krb5-appl.spec
index c19b9d8..b7d2526 100644
--- a/krb5-appl.spec
+++ b/krb5-appl.spec
@@ -10,7 +10,7 @@
 Summary: Kerberos-aware versions of telnet, ftp, rsh, and rlogin
 Name: krb5-appl
 Version: 1.0.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5-appl/1.0/krb5-appl-1.0.1-signed.tar
 Source0: krb5-appl-%{version}.tar.gz
@@ -47,6 +47,7 @@ Patch88: krb5-1.7-sizeof.patch
 Patch89: krb5-appl-1.0.1-largefile.patch
 Patch90: krb5-appl-1.0.1-nmax-is-ut_namesize.patch
 Patch91: krb5-appl-trunk-ftpusers.patch
+Patch92: krb5-appl-1.0.1-2011-005.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -89,6 +90,7 @@ in most environments, they remain in use in others.
 %setup -q
 ln -s NOTICE LICENSE
 
+%patch92 -p1 -b .2011-005
 %patch160 -p1 -b .pam
 %patch161 -p1 -b .manpaths
 %patch3  -p3 -b .netkit-rsh
@@ -255,6 +257,10 @@ exit 0
 %{krb5prefix}/man/man8/telnetd.8*
 
 %changelog
+* Tue Jul  5 2011 Nalin Dahyabhai <nalin at redhat.com> - 1.0.1-9
+- ftpd: add candidate patch to detect setegid/setregid/setresgid and check
+  for errors when calling them (MITKRB5-SA-2011-005, CVE-2011-1526, #713341)
+
 * Wed Jun 15 2011 Nalin Dahyabhai <nalin at redhat.com> - 1.0.1-8
 - drop pam_selinux from the gssftp PAM configuration (#713459)
 - switch the PAM configurations from including system-auth to including

More information about the scm-commits mailing list