Date: Fri, 23 Dec 2011 15:00:39 +0000 (UTC) From: Colin Percival <cperciva@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... Message-ID: <201112231500.pBNF0dkC071797@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cperciva Date: Fri Dec 23 15:00:37 2011 New Revision: 228843 URL: http://svn.freebsd.org/changeset/base/228843 Log: Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06] Add an API for alerting internal libc routines to the presence of "unsafe" paths post-chroot, and use it in ftpd. [11:07] Fix a buffer overflow in telnetd. [11:08] Make pam_ssh ignore unpassphrased keys unless the "nullok" option is specified. [11:09] Add sanity checking of service names in pam_start. [11:10] Approved by: so (cperciva) Approved by: re (bz) Security: FreeBSD-SA-11:06.bind Security: FreeBSD-SA-11:07.chroot Security: FreeBSD-SA-11:08.telnetd Security: FreeBSD-SA-11:09.pam_ssh Security: FreeBSD-SA-11:10.pam Added: stable/8/lib/libc/gen/libc_dlopen.c (contents, props changed) Modified: stable/8/contrib/telnet/libtelnet/encrypt.c stable/8/crypto/heimdal/appl/telnet/libtelnet/encrypt.c stable/8/include/unistd.h stable/8/lib/libc/Versions.def stable/8/lib/libc/gen/Makefile.inc stable/8/lib/libc/gen/Symbol.map stable/8/lib/libc/include/libc_private.h stable/8/lib/libc/net/nsdispatch.c stable/8/libexec/ftpd/ftpd.c stable/8/libexec/ftpd/popen.c Changes in other areas also in this revision: Added: head/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/7.3/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/7.4/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/8.1/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/8.2/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/9.0/lib/libc/gen/libc_dlopen.c (contents, props changed) stable/7/lib/libc/gen/libc_dlopen.c (contents, props changed) stable/9/lib/libc/gen/libc_dlopen.c (contents, props changed) Modified: head/contrib/telnet/libtelnet/encrypt.c head/crypto/heimdal/appl/telnet/libtelnet/encrypt.c head/include/unistd.h head/lib/libc/gen/Makefile.inc head/lib/libc/gen/Symbol.map head/lib/libc/iconv/citrus_module.c head/lib/libc/include/libc_private.h head/lib/libc/net/nsdispatch.c head/libexec/ftpd/ftpd.c head/libexec/ftpd/popen.c releng/7.3/UPDATING releng/7.3/contrib/bind9/bin/named/query.c releng/7.3/contrib/bind9/lib/dns/rbtdb.c releng/7.3/contrib/openpam/lib/openpam_configure.c releng/7.3/contrib/telnet/libtelnet/encrypt.c releng/7.3/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/7.3/include/unistd.h releng/7.3/lib/libc/Versions.def releng/7.3/lib/libc/gen/Makefile.inc releng/7.3/lib/libc/gen/Symbol.map releng/7.3/lib/libc/include/libc_private.h releng/7.3/lib/libc/net/nsdispatch.c releng/7.3/lib/libpam/modules/pam_ssh/pam_ssh.c releng/7.3/libexec/ftpd/ftpd.c releng/7.3/libexec/ftpd/popen.c releng/7.3/sys/conf/newvers.sh releng/7.4/UPDATING releng/7.4/contrib/bind9/bin/named/query.c releng/7.4/contrib/bind9/lib/dns/rbtdb.c releng/7.4/contrib/openpam/lib/openpam_configure.c releng/7.4/contrib/telnet/libtelnet/encrypt.c releng/7.4/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/7.4/include/unistd.h releng/7.4/lib/libc/Versions.def releng/7.4/lib/libc/gen/Makefile.inc releng/7.4/lib/libc/gen/Symbol.map releng/7.4/lib/libc/include/libc_private.h releng/7.4/lib/libc/net/nsdispatch.c releng/7.4/lib/libpam/modules/pam_ssh/pam_ssh.c releng/7.4/libexec/ftpd/ftpd.c releng/7.4/libexec/ftpd/popen.c releng/7.4/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/contrib/bind9/bin/named/query.c releng/8.1/contrib/bind9/lib/dns/rbtdb.c releng/8.1/contrib/openpam/lib/openpam_configure.c releng/8.1/contrib/telnet/libtelnet/encrypt.c releng/8.1/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/8.1/include/unistd.h releng/8.1/lib/libc/Versions.def releng/8.1/lib/libc/gen/Makefile.inc releng/8.1/lib/libc/gen/Symbol.map releng/8.1/lib/libc/include/libc_private.h releng/8.1/lib/libc/net/nsdispatch.c releng/8.1/lib/libpam/modules/pam_ssh/pam_ssh.c releng/8.1/libexec/ftpd/ftpd.c releng/8.1/libexec/ftpd/popen.c releng/8.1/sys/conf/newvers.sh releng/8.2/UPDATING releng/8.2/contrib/bind9/bin/named/query.c releng/8.2/contrib/bind9/lib/dns/rbtdb.c releng/8.2/contrib/openpam/lib/openpam_configure.c releng/8.2/contrib/telnet/libtelnet/encrypt.c releng/8.2/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/8.2/include/unistd.h releng/8.2/lib/libc/Versions.def releng/8.2/lib/libc/gen/Makefile.inc releng/8.2/lib/libc/gen/Symbol.map releng/8.2/lib/libc/include/libc_private.h releng/8.2/lib/libc/net/nsdispatch.c releng/8.2/lib/libpam/modules/pam_ssh/pam_ssh.c releng/8.2/libexec/ftpd/ftpd.c releng/8.2/libexec/ftpd/popen.c releng/8.2/sys/conf/newvers.sh releng/9.0/contrib/telnet/libtelnet/encrypt.c releng/9.0/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/9.0/include/unistd.h releng/9.0/lib/libc/Versions.def releng/9.0/lib/libc/gen/Makefile.inc releng/9.0/lib/libc/gen/Symbol.map releng/9.0/lib/libc/iconv/citrus_module.c releng/9.0/lib/libc/include/libc_private.h releng/9.0/lib/libc/net/nsdispatch.c releng/9.0/libexec/ftpd/ftpd.c releng/9.0/libexec/ftpd/popen.c stable/7/contrib/telnet/libtelnet/encrypt.c stable/7/crypto/heimdal/appl/telnet/libtelnet/encrypt.c stable/7/include/unistd.h stable/7/lib/libc/Versions.def stable/7/lib/libc/gen/Makefile.inc stable/7/lib/libc/gen/Symbol.map stable/7/lib/libc/include/libc_private.h stable/7/lib/libc/net/nsdispatch.c stable/7/libexec/ftpd/ftpd.c stable/7/libexec/ftpd/popen.c stable/9/contrib/telnet/libtelnet/encrypt.c stable/9/crypto/heimdal/appl/telnet/libtelnet/encrypt.c stable/9/include/unistd.h stable/9/lib/libc/Versions.def stable/9/lib/libc/gen/Makefile.inc stable/9/lib/libc/gen/Symbol.map stable/9/lib/libc/iconv/citrus_module.c stable/9/lib/libc/include/libc_private.h stable/9/lib/libc/net/nsdispatch.c stable/9/libexec/ftpd/ftpd.c stable/9/libexec/ftpd/popen.c Modified: stable/8/contrib/telnet/libtelnet/encrypt.c ============================================================================== --- stable/8/contrib/telnet/libtelnet/encrypt.c Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/contrib/telnet/libtelnet/encrypt.c Fri Dec 23 15:00:37 2011 (r228843) @@ -721,6 +721,9 @@ encrypt_keyid(struct key_info *kp, unsig int dir = kp->dir; int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; Modified: stable/8/crypto/heimdal/appl/telnet/libtelnet/encrypt.c ============================================================================== --- stable/8/crypto/heimdal/appl/telnet/libtelnet/encrypt.c Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/crypto/heimdal/appl/telnet/libtelnet/encrypt.c Fri Dec 23 15:00:37 2011 (r228843) @@ -736,6 +736,9 @@ encrypt_keyid(struct key_info *kp, unsig int dir = kp->dir; int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; Modified: stable/8/include/unistd.h ============================================================================== --- stable/8/include/unistd.h Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/include/unistd.h Fri Dec 23 15:00:37 2011 (r228843) @@ -513,6 +513,7 @@ int initgroups(const char *, gid_t); int iruserok(unsigned long, int, const char *, const char *); int iruserok_sa(const void *, int, int, const char *, const char *); int issetugid(void); +void __FreeBSD_libc_enter_restricted_mode(void); long lpathconf(const char *, int); #ifndef _MKDTEMP_DECLARED char *mkdtemp(char *); Modified: stable/8/lib/libc/Versions.def ============================================================================== --- stable/8/lib/libc/Versions.def Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/lib/libc/Versions.def Fri Dec 23 15:00:37 2011 (r228843) @@ -19,6 +19,10 @@ FBSD_1.1 { FBSD_1.2 { } FBSD_1.1; +# This version was first added to 10.0-current. +FBSD_1.3 { +} FBSD_1.2; + # This is our private namespace. Any global interfaces that are # strictly for use only by other FreeBSD applications and libraries # are listed here. We use a separate namespace so we can write @@ -26,4 +30,4 @@ FBSD_1.2 { # # Please do NOT increment the version of this namespace. FBSDprivate_1.0 { -} FBSD_1.2; +} FBSD_1.3; Modified: stable/8/lib/libc/gen/Makefile.inc ============================================================================== --- stable/8/lib/libc/gen/Makefile.inc Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/lib/libc/gen/Makefile.inc Fri Dec 23 15:00:37 2011 (r228843) @@ -20,6 +20,7 @@ SRCS+= __getosreldate.c __xuname.c \ getpeereid.c getprogname.c getpwent.c getttyent.c \ getusershell.c getvfsbyname.c glob.c \ initgroups.c isatty.c isinf.c isnan.c jrand48.c lcong48.c \ + libc_dlopen.c \ lockf.c lrand48.c mrand48.c nftw.c nice.c \ nlist.c nrand48.c opendir.c \ pause.c pmadvise.c popen.c posix_spawn.c \ Modified: stable/8/lib/libc/gen/Symbol.map ============================================================================== --- stable/8/lib/libc/gen/Symbol.map Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/lib/libc/gen/Symbol.map Fri Dec 23 15:00:37 2011 (r228843) @@ -369,6 +369,10 @@ FBSD_1.2 { getpagesizes; }; +FBSD_1.3 { + __FreeBSD_libc_enter_restricted_mode; +}; + FBSDprivate_1.0 { /* needed by thread libraries */ __thr_jtable; Added: stable/8/lib/libc/gen/libc_dlopen.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ stable/8/lib/libc/gen/libc_dlopen.c Fri Dec 23 15:00:37 2011 (r228843) @@ -0,0 +1,61 @@ +/*- + * Copyright (c) 2011 Xin Li <delphij@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <dlfcn.h> +#include <stddef.h> +#include <unistd.h> + +#include "libc_private.h" + +/* + * Whether we want to restrict dlopen()s. + */ +static int __libc_restricted_mode = 0; + +void * +libc_dlopen(const char *path, int mode) +{ + + if (__libc_restricted_mode) { + _rtld_error("Service unavailable -- libc in restricted mode"); + return (NULL); + } else + return (dlopen(path, mode)); +} + +void +__FreeBSD_libc_enter_restricted_mode(void) +{ + + __libc_restricted_mode = 1; + return; +} + Modified: stable/8/lib/libc/include/libc_private.h ============================================================================== --- stable/8/lib/libc/include/libc_private.h Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/lib/libc/include/libc_private.h Fri Dec 23 15:00:37 2011 (r228843) @@ -44,6 +44,17 @@ extern int __isthreaded; /* + * libc should use libc_dlopen internally, which respects a global + * flag where loading of new shared objects can be restricted. + */ +void *libc_dlopen(const char *, int); + +/* + * For dynamic linker. + */ +void _rtld_error(const char *fmt, ...); + +/* * File lock contention is difficult to diagnose without knowing * where locks were set. Allow a debug library to be built which * records the source file and line number of each lock call. Modified: stable/8/lib/libc/net/nsdispatch.c ============================================================================== --- stable/8/lib/libc/net/nsdispatch.c Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/lib/libc/net/nsdispatch.c Fri Dec 23 15:00:37 2011 (r228843) @@ -384,7 +384,7 @@ nss_configure(void) confmod = statbuf.st_mtime; #ifdef NS_CACHING - handle = dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL); + handle = libc_dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL); if (handle != NULL) { nss_cache_cycle_prevention_func = dlsym(handle, "_nss_cache_cycle_prevention_function"); @@ -497,7 +497,7 @@ nss_load_module(const char *source, nss_ if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name, NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf)) goto fin; - mod.handle = dlopen(buf, RTLD_LOCAL|RTLD_LAZY); + mod.handle = libc_dlopen(buf, RTLD_LOCAL|RTLD_LAZY); if (mod.handle == NULL) { #ifdef _NSS_DEBUG /* This gets pretty annoying since the built-in Modified: stable/8/libexec/ftpd/ftpd.c ============================================================================== --- stable/8/libexec/ftpd/ftpd.c Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/libexec/ftpd/ftpd.c Fri Dec 23 15:00:37 2011 (r228843) @@ -1543,6 +1543,7 @@ skip: reply(550, "Can't change root."); goto bad; } + __FreeBSD_libc_enter_restricted_mode(); } else /* real user w/o chroot */ homedir = pw->pw_dir; /* Modified: stable/8/libexec/ftpd/popen.c ============================================================================== --- stable/8/libexec/ftpd/popen.c Fri Dec 23 14:39:30 2011 (r228842) +++ stable/8/libexec/ftpd/popen.c Fri Dec 23 15:00:37 2011 (r228843) @@ -143,6 +143,9 @@ ftpd_popen(char *program, char *type) } (void)close(pdes[1]); } + /* Drop privileges before proceeding */ + if (getuid() != geteuid() && setuid(geteuid()) < 0) + _exit(1); if (strcmp(gargv[0], _PATH_LS) == 0) { /* Reset getopt for ls_main() */ optreset = optind = optopt = 1;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112231500.pBNF0dkC071797>