[systemd/f15] CVE-2012-1174 (#803358)
Michal Schmidt
michich at fedoraproject.org
Fri Mar 16 17:46:19 UTC 2012
commit 356933198d8a863a95ab2bb73cef39c57ef929dc
Author: Michal Schmidt <mschmidt at redhat.com>
Date: Fri Mar 16 18:44:58 2012 +0100
CVE-2012-1174 (#803358)
...l-never-follow-symlinks-in-rm_rf_children.patch | 30 ++++++++++++++++++++
systemd.spec | 6 +++-
2 files changed, 35 insertions(+), 1 deletions(-)
---
diff --git a/0161-util-never-follow-symlinks-in-rm_rf_children.patch b/0161-util-never-follow-symlinks-in-rm_rf_children.patch
new file mode 100644
index 0000000..2c9adf3
--- /dev/null
+++ b/0161-util-never-follow-symlinks-in-rm_rf_children.patch
@@ -0,0 +1,30 @@
+From 90eb06e8c7da2c10eeccc4915bca577304785664 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Fri, 2 Mar 2012 10:39:10 +0100
+Subject: [PATCH] util: never follow symlinks in rm_rf_children()
+
+The function checks if the entry is a directory before recursing, but
+there is a window between the check and the open, during which the
+directory could be replaced with a symlink.
+
+CVE-2012-1174
+https://bugzilla.redhat.com/show_bug.cgi?id=803358
+(cherry picked from commit 5ebff5337594d690b322078c512eb222d34aaa82)
+---
+ src/util.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index a488289..6a2c61f 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -3483,7 +3483,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {
+ if (is_dir) {
+ int subdir_fd;
+
+- if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) {
++ subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW);
++ if (subdir_fd < 0) {
+ if (ret == 0 && errno != ENOENT)
+ ret = -errno;
+ continue;
diff --git a/systemd.spec b/systemd.spec
index 936dd7d..b5affa0 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -2,7 +2,7 @@ Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Version: 26
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Summary: A System and Service Manager
@@ -132,6 +132,7 @@ Patch89: 0004-man-document-the-PassCred-option.patch
Patch90: 0001-socket-rename-the-PassCred-option-to-PassCredentials.patch
Patch91: util-add-parse_uid.patch
Patch92: 0001-shutdown-exclude-processes-with-argv-0-0-from-killin.patch
+Patch93: 0161-util-never-follow-symlinks-in-rm_rf_children.patch
Patch100: fedora-storage-detect-encrypted-PVs.patch
@@ -395,6 +396,9 @@ fi
%{_bindir}/systemd-sysv-convert
%changelog
+* Fri Mar 16 2012 Michal Schmidt <mschmidt at redhat.com> - 26-18
+- CVE-2012-1174 (#803358)
+
* Mon Feb 27 2012 Michal Schmidt <mschmidt at redhat.com> - 26-17
- Backport the detection of root storage daemons.
http://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons
More information about the scm-commits
mailing list