Date: Thu, 7 Jun 2001 11:52:13 +0800 (KRAST) From: eugen@grosbein.pp.ru To: FreeBSD-gnats-submit@freebsd.org Subject: bin/27922: FreeBSD-SA-01:40 Message-ID: <200106070352.LAA38904@www.svzserv.kemerovo.su>
next in thread | raw e-mail | index | archive | help
>Number: 27922 >Category: bin >Synopsis: FreeBSD-SA-01:40 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jun 06 21:00:16 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Eugene Grosbein >Release: FreeBSD 3.5-STABLE i386 >Organization: ISP Svyaz-Service >Environment: FreeBSD 3.5-STABLE i386 >Description: A patch in FreeBSD Security Advisory FreeBSD-SA-01:40 does not apply to 3.5-STABLE. Here is a path from advisory adopted for RELENG_3 at the time of advisory issue. >How-To-Repeat: Exploit has been posted to security@freebsd.org mailing list. >Fix: Here is a patch for 3.5-STABLE build 10 May 2001. How to apply: # cd /usr/src/lib/libc/gen # patch </path/to/ftp.3S.patch # cd .. # make depend && make all install # cd /usr/src/lib/libc_r # make depend && make all install # cd /usr/src/bin/chmod # make depend && make all install # cd /usr/src/bin/cp # make depend && make all install # cd /usr/src/bin/ls # make depend && make all install # cd /usr/src/bin/pax # make depend && make all install # cd /usr/src/bin/rm # make depend && make all install # cd /usr/src/usr.bin/chflags # make depend && make all install # cd /usr/src/usr.bin/du # make depend && make all install # cd /usr/src/usr.bin/find # make depend && make all install # cd /usr/src/libexec/ftpd # make depend && make all install # cd /usr/src/usr.sbin/chmod # make depend && make all install # cd /usr/src/usr.sbin/ckdist # make depend && make all install # cd /usr/src/usr.sbin/ctm # make depend && make all install # cd /usr/src/usr.sbin/mtree # make depend && make all install # cd /usr/src/usr.sbin/pkg_install # make depend && make all install Patch: --- fts.c.orig Sat Dec 25 15:29:45 1999 +++ fts.c Thu Jun 7 11:08:07 2001 @@ -61,7 +61,7 @@ static int fts_palloc __P((FTS *, size_t)); static FTSENT *fts_sort __P((FTS *, FTSENT *, int)); static u_short fts_stat __P((FTS *, FTSENT *, int)); -static int fts_safe_changedir __P((FTS *, FTSENT *, int)); +static int fts_safe_changedir __P((FTS *, FTSENT *, int, char *)); #define ISDOT(a) (a[0] == '.' && (!a[1] || (a[1] == '.' && !a[2]))) @@ -69,7 +69,6 @@ #define ISSET(opt) (sp->fts_options & (opt)) #define SET(opt) (sp->fts_options |= (opt)) -#define CHDIR(sp, path) (!ISSET(FTS_NOCHDIR) && chdir(path)) #define FCHDIR(sp, fd) (!ISSET(FTS_NOCHDIR) && fchdir(fd)) /* fts_build flags */ @@ -273,6 +272,7 @@ fts_read(sp) register FTS *sp; { + struct stat sb; register FTSENT *p, *tmp; register int instr; register char *t; @@ -349,7 +349,7 @@ * FTS_STOP or the fts_info field of the node. */ if (sp->fts_child) { - if (fts_safe_changedir(sp, p, -1)) { + if (fts_safe_changedir(sp, p, -1, p->fts_accpath)) { p->fts_errno = errno; p->fts_flags |= FTS_DONTCHDIR; for (p = sp->fts_child; p; p = p->fts_link) @@ -446,11 +446,10 @@ return (NULL); } (void)close(p->fts_symfd); - } else if (!(p->fts_flags & FTS_DONTCHDIR)) { - if (CHDIR(sp, "..")) { - SET(FTS_STOP); - return (NULL); - } + } else if (!(p->fts_flags & FTS_DONTCHDIR) && + fts_safe_changedir(sp, p->fts_parent, -1, "..")) { + SET(FTS_STOP); + return (NULL); } p->fts_info = p->fts_errno ? FTS_ERR : FTS_DP; return (sp->fts_cur = p); @@ -637,7 +636,7 @@ */ cderrno = 0; if (nlinks || type == BREAD) { - if (fts_safe_changedir(sp, cur, dirfd(dirp))) { + if (fts_safe_changedir(sp, cur, dirfd(dirp), NULL)) { if (nlinks && type == BREAD) cur->fts_errno = errno; cur->fts_flags |= FTS_DONTCHDIR; @@ -803,7 +802,8 @@ */ if (descend && (type == BCHILD || !nitems) && (cur->fts_level == FTS_ROOTLEVEL ? - FCHDIR(sp, sp->fts_rfd) : CHDIR(sp, ".."))) { + FCHDIR(sp, sp->fts_rfd) : + fts_safe_changedir(sp, cur->fts_parent, -1, ".."))) { cur->fts_info = FTS_ERR; SET(FTS_STOP); return (NULL); @@ -1075,10 +1075,11 @@ * Assumes p->fts_dev and p->fts_ino are filled in. */ static int -fts_safe_changedir(sp, p, fd) +fts_safe_changedir(sp, p, fd, path) FTS *sp; FTSENT *p; int fd; + char *path; { int ret, oerrno, newfd; struct stat sb; @@ -1086,7 +1087,7 @@ newfd = fd; if (ISSET(FTS_NOCHDIR)) return (0); - if (fd < 0 && (newfd = open(p->fts_accpath, O_RDONLY, 0)) < 0) + if (fd < 0 && (newfd = _open(path, O_RDONLY, 0)) < 0) return (-1); if (fstat(newfd, &sb)) { ret = -1; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106070352.LAA38904>