From c943eb6b3321eb90628bfe14aaa6d599f770c201 Mon Sep 17 00:00:00 2001 From: jay Date: Mon, 21 May 2007 21:45:07 +0000 Subject: [PATCH] Fixed by #19923 and prepared for release of findutils-4.3.6 --- ChangeLog | 18 ++++++++++++++++++ NEWS | 9 ++++++++- configure.in | 2 +- locate/locate.c | 8 ++++---- 4 files changed, 31 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2d482b2..a8b1a46 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,21 @@ +2007-05-21 James Youngman + + * build-aux/Makefile.am (EXTRA_DIST): Added man-lint.sh. + + * locate/locate.c (drop_privs): pass the correct list of groups to + setgroups(). Previously, if root invoked locate, their group ID + would have been set to a random value. The same bug also caused + an array overrun past the end of the local array groups[]. The + variable which gets overwritten by the buffer overrun on x86 is + 'what'. The value of that variable is always changed before it is + used, and so I believe that this buffer overrun will not cause a + crash. The only effect of the bug therefore would be for locate + to change group to a random group ID since groups[0] is + uninitialised. On my test system this random group ID is 0 + anyway. The effect does not depend on any externally-controllable + information, so it is unlikely this is exploitable. This bug is + detailed as bug# 19923. + 2007-05-19 James Youngman * find/find.1: Spurious .R directives (.R is not a directive) diff --git a/NEWS b/NEWS index d778fc8..9b750d3 100644 --- a/NEWS +++ b/NEWS @@ -1,8 +1,15 @@ GNU findutils NEWS - User visible changes. -*- outline -*- (allout) -* Major changes in release 4.3.6-CVS +* Major changes in release 4.3.6 ** Bug Fixes +#19923: Fixed an array overrun in groups[] array of 'locate' when run by +or as root. This bug appears not to be exploitable. If locate is not +installed setuid, the bug is not exploitable. For setuid +installations, it is concievable that there could be an information +leak if the user uses the -d option or the -e option, though the +maintainer has been unable to provoke this on an x86 system. + #19871: Spurious .R directives in manpage produced error messages from GNU troff. This is now fixed (they are corrected to .B). diff --git a/configure.in b/configure.in index 396d54d..0450785 100644 --- a/configure.in +++ b/configure.in @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([GNU findutils], 4.3.6-CVS, [bug-findutils@gnu.org]) +AC_INIT([GNU findutils], 4.3.6, [bug-findutils@gnu.org]) AC_CONFIG_AUX_DIR(build-aux) AM_INIT_AUTOMAKE diff --git a/locate/locate.c b/locate/locate.c index 37ab13e..cbca59f 100644 --- a/locate/locate.c +++ b/locate/locate.c @@ -1333,13 +1333,13 @@ drop_privs(void) const uid_t uid = getuid(); const gid_t gid = getgid(); - /* Use of setgroups() is restrcted to root only. */ + /* Use of setgroups() is restricted to root only. */ if (0 == orig_euid) { - /* UID != 0, but EUID == 0. We're running setuid-root. */ + /* We're either root or running setuid-root. */ gid_t groups[1]; - groups[1] = getgid(); - if (0 != setgroups(1, groups)) + groups[1] = gid; + if (0 != setgroups(1u, groups)) { what = _("failed to drop group privileges"); goto fail; -- 2.11.4.GIT