From owner-freebsd-bugs  Fri Dec 14  0: 0:18 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 8D1F537B416
	for <freebsd-bugs@hub.freebsd.org>; Fri, 14 Dec 2001 00:00:10 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id fBE80AR83309;
	Fri, 14 Dec 2001 00:00:10 -0800 (PST)
	(envelope-from gnats)
Date: Fri, 14 Dec 2001 00:00:10 -0800 (PST)
Message-Id: <200112140800.fBE80AR83309@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Ruslan Ermilov <ru@FreeBSD.ORG>
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Reply-To: Ruslan Ermilov <ru@FreeBSD.ORG>
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

The following reply was made to PR bin/32791; it has been noted by GNATS.

From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: "Tim J. Robbins" <tim@robbins.dropbear.id.au>,
	security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Date: Fri, 14 Dec 2001 09:56:19 +0200

 On Thu, Dec 13, 2001 at 07:07:13PM +0300, Andrey A. Chernov wrote:
 > On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote:
 > 
 > > The below patch doesn't allow man(1) to use its SUID powers
 > > when the catpage's directory is accessed via symlink.
 > 
 > It breaks private cat pages (symlink check must not present for them)
 > 
 Oops, right, wrongly placed closing brace:
 
 Index: man.c
 ===================================================================
 RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
 retrieving revision 1.49
 diff -u -p -r1.49 man.c
 --- man.c	2001/09/06 11:54:28	1.49
 +++ man.c	2001/12/14 07:57:03
 @@ -23,6 +23,7 @@
  #include <sys/param.h>
  #include <ctype.h>
  #include <errno.h>
 +#include <libgen.h>
  #ifdef __FreeBSD__
  #include <locale.h>
  #include <langinfo.h>
 @@ -1402,10 +1403,15 @@ format_and_display (path, man_file, cat_
  	    {
  
  #ifdef SETUID
 -	      seteuid(euid);
 -	      found = make_cat_file (path, man_file, cat_file, 1);
 -	      seteuid(ruid);
 -
 +	      char *cat_dir = dirname(cat_file);
 +	      struct stat sb;
 +	      if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode))
 +		{
 +		  seteuid(euid);
 +		  found = make_cat_file (path, man_file, cat_file, 1);
 +		  seteuid(ruid);
 +		}
 +    
  	      if (!found)
  	        {
  		  /* Try again as real user - see note below.
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message