Site Navigation

Date:      Thu, 7 Jun 2001 11:52:13 +0800 (KRAST)
From:      eugen@grosbein.pp.ru
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/27922: FreeBSD-SA-01:40
Message-ID:  <200106070352.LAA38904@www.svzserv.kemerovo.su>

---

next in thread | raw e-mail | index | archive | help

---

>Number:         27922
>Category:       bin
>Synopsis:       FreeBSD-SA-01:40
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 06 21:00:16 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 3.5-STABLE i386
>Organization:
ISP Svyaz-Service
>Environment:
FreeBSD 3.5-STABLE i386

>Description:

A patch in FreeBSD Security Advisory FreeBSD-SA-01:40 does not apply to
3.5-STABLE. Here is a path from advisory adopted for RELENG_3 at the time of
advisory issue.

>How-To-Repeat:

	Exploit has been posted to security@freebsd.org mailing list.

>Fix:

Here is a patch for 3.5-STABLE build 10 May 2001.
How to apply:

# cd /usr/src/lib/libc/gen
# patch </path/to/ftp.3S.patch
# cd ..
# make depend && make all install
# cd /usr/src/lib/libc_r
# make depend && make all install
# cd /usr/src/bin/chmod
# make depend && make all install
# cd /usr/src/bin/cp
# make depend && make all install
# cd /usr/src/bin/ls
# make depend && make all install
# cd /usr/src/bin/pax
# make depend && make all install
# cd /usr/src/bin/rm
# make depend && make all install
# cd /usr/src/usr.bin/chflags
# make depend && make all install
# cd /usr/src/usr.bin/du
# make depend && make all install
# cd /usr/src/usr.bin/find
# make depend && make all install
# cd /usr/src/libexec/ftpd
# make depend && make all install
# cd /usr/src/usr.sbin/chmod
# make depend && make all install
# cd /usr/src/usr.sbin/ckdist
# make depend && make all install
# cd /usr/src/usr.sbin/ctm
# make depend && make all install
# cd /usr/src/usr.sbin/mtree
# make depend && make all install
# cd /usr/src/usr.sbin/pkg_install
# make depend && make all install

Patch:

--- fts.c.orig	Sat Dec 25 15:29:45 1999
+++ fts.c	Thu Jun  7 11:08:07 2001
@@ -61,7 +61,7 @@
 static int	 fts_palloc __P((FTS *, size_t));
 static FTSENT	*fts_sort __P((FTS *, FTSENT *, int));
 static u_short	 fts_stat __P((FTS *, FTSENT *, int));
-static int	 fts_safe_changedir __P((FTS *, FTSENT *, int));
+static int	 fts_safe_changedir __P((FTS *, FTSENT *, int, char *));
 
 #define	ISDOT(a)	(a[0] == '.' && (!a[1] || (a[1] == '.' && !a[2])))
 
@@ -69,7 +69,6 @@
 #define	ISSET(opt)	(sp->fts_options & (opt))
 #define	SET(opt)	(sp->fts_options |= (opt))
 
-#define	CHDIR(sp, path)	(!ISSET(FTS_NOCHDIR) && chdir(path))
 #define	FCHDIR(sp, fd)	(!ISSET(FTS_NOCHDIR) && fchdir(fd))
 
 /* fts_build flags */
@@ -273,6 +272,7 @@
 fts_read(sp)
 	register FTS *sp;
 {
+	struct stat sb;
 	register FTSENT *p, *tmp;
 	register int instr;
 	register char *t;
@@ -349,7 +349,7 @@
 		 * FTS_STOP or the fts_info field of the node.
 		 */
 		if (sp->fts_child) {
-			if (fts_safe_changedir(sp, p, -1)) {
+			if (fts_safe_changedir(sp, p, -1, p->fts_accpath)) {
 				p->fts_errno = errno;
 				p->fts_flags |= FTS_DONTCHDIR;
 				for (p = sp->fts_child; p; p = p->fts_link)
@@ -446,11 +446,10 @@
 			return (NULL);
 		}
 		(void)close(p->fts_symfd);
-	} else if (!(p->fts_flags & FTS_DONTCHDIR)) {
-		if (CHDIR(sp, "..")) {
-			SET(FTS_STOP);
-			return (NULL);
-		}
+	} else if (!(p->fts_flags & FTS_DONTCHDIR) &&
+ 		   fts_safe_changedir(sp, p->fts_parent, -1, "..")) {
+ 		SET(FTS_STOP);
+ 		return (NULL);
 	}
 	p->fts_info = p->fts_errno ? FTS_ERR : FTS_DP;
 	return (sp->fts_cur = p);
@@ -637,7 +636,7 @@
 	 */
 	cderrno = 0;
 	if (nlinks || type == BREAD) {
-		if (fts_safe_changedir(sp, cur, dirfd(dirp))) {
+		if (fts_safe_changedir(sp, cur, dirfd(dirp), NULL)) {
 			if (nlinks && type == BREAD)
 				cur->fts_errno = errno;
 			cur->fts_flags |= FTS_DONTCHDIR;
@@ -803,7 +802,8 @@
 	 */
 	if (descend && (type == BCHILD || !nitems) &&
 	    (cur->fts_level == FTS_ROOTLEVEL ?
-	    FCHDIR(sp, sp->fts_rfd) : CHDIR(sp, ".."))) {
+	    FCHDIR(sp, sp->fts_rfd) :
+	    fts_safe_changedir(sp, cur->fts_parent, -1, ".."))) {
 		cur->fts_info = FTS_ERR;
 		SET(FTS_STOP);
 		return (NULL);
@@ -1075,10 +1075,11 @@
  * Assumes p->fts_dev and p->fts_ino are filled in.
  */
 static int
-fts_safe_changedir(sp, p, fd)
+fts_safe_changedir(sp, p, fd, path)
 	FTS *sp;
 	FTSENT *p;
 	int fd;
+	char *path;
 {
 	int ret, oerrno, newfd;
 	struct stat sb;
@@ -1086,7 +1087,7 @@
 	newfd = fd;
 	if (ISSET(FTS_NOCHDIR))
 		return (0);
-	if (fd < 0 && (newfd = open(p->fts_accpath, O_RDONLY, 0)) < 0)
+	if (fd < 0 && (newfd = _open(path, O_RDONLY, 0)) < 0)
 		return (-1);
 	if (fstat(newfd, &sb)) {
 		ret = -1;
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106070352.LAA38904>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact