From cc48b652211f9d4bc28d4c46f793772074cef65a Mon Sep 17 00:00:00 2001
From: "Steffen (Daode) Nurpmeso" <steffen@sdaoden.eu>
Date: Fri, 27 Jan 2017 19:58:39 +0100
Subject: [PATCH] FIX privsep.c, yes, vulnerability (wapiflapi)..

wapiflapi (wapiflapi at yahoo dot fr) reported a vulnerability
when the privsep program is driven directly: it is possible to
pass a random string which includes path separators.

This random string is used to build the path name of a an
O_EXCLusively created file, which then is fchown()ed to the owner
of the mailbox the privsep child is to be used to create a lock
file for.  The exclusively created file is then removed, whether
the race has been won or not.

The privsep child will refuse to run unless the executing user
owns the mailbox file, that is, has read (or read/write, dependent
on mode), the target of the link will always be the name of said
mailbox with a ".lock" suffix (Unix dotlock locking).
---
 privsep.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/privsep.c b/privsep.c
index 069cb10d..8084c1bc 100644
--- a/privsep.c
+++ b/privsep.c
@@ -58,6 +58,7 @@ main(int argc, char **argv)
          strcmp(argv[ 4], "name") ||
          strcmp(argv[ 6], "hostname") ||
          strcmp(argv[ 8], "randstr") ||
+         strchr(argv[ 9], '/') != NULL /* Seal path injection vector */ ||
          strcmp(argv[10], "pollmsecs") ||
          fstat(STDIN_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode) ||
          fstat(STDOUT_FILENO, &stb) == -1 || !S_ISFIFO(stb.st_mode)) {
-- 
2.11.4.GIT