Frederic Crozat
6e44a61417
- Add comments from upstream in 0001-util-never-follow-symlinks-in-rm_rf_children.patch. - Add logind-logout.patch: it should fix sudo / su with pam_systemd (bnc#746704). OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=263
60 lines
2.1 KiB
Diff
60 lines
2.1 KiB
Diff
From 5ebff5337594d690b322078c512eb222d34aaa82 Mon Sep 17 00:00:00 2001
|
|
From: Michal Schmidt <mschmidt@redhat.com>
|
|
Date: Fri, 2 Mar 2012 10:39:10 +0100
|
|
Subject: [PATCH] util: never follow symlinks in rm_rf_children()
|
|
|
|
The function checks if the entry is a directory before recursing, but
|
|
there is a window between the check and the open, during which the
|
|
directory could be replaced with a symlink.
|
|
|
|
CVE-2012-1174
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=803358
|
|
---
|
|
src/util.c | 3 ++-
|
|
1 files changed, 2 insertions(+), 1 deletions(-)
|
|
|
|
diff --git a/src/util.c b/src/util.c
|
|
index 20cbc2b..dfc1dc6 100644
|
|
--- a/src/util.c
|
|
+++ b/src/util.c
|
|
@@ -3593,7 +3593,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {
|
|
if (is_dir) {
|
|
int subdir_fd;
|
|
|
|
- if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) {
|
|
+ subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW);
|
|
+ if (subdir_fd < 0) {
|
|
if (ret == 0 && errno != ENOENT)
|
|
ret = -errno;
|
|
continue;
|
|
--
|
|
1.7.7
|
|
|
|
From c9d8629baa09f853fbcc44972c9748e70562270c Mon Sep 17 00:00:00 2001
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
Date: Thu, 22 Mar 2012 01:43:36 +0100
|
|
Subject: [PATCH] logind: extend comment about X11 socket symlink
|
|
|
|
---
|
|
src/login/logind-session.c | 4 ++++
|
|
1 files changed, 4 insertions(+), 0 deletions(-)
|
|
|
|
diff --git a/src/login/logind-session.c b/src/login/logind-session.c
|
|
index af9c12d..4e0af86 100644
|
|
--- a/src/login/logind-session.c
|
|
+++ b/src/login/logind-session.c
|
|
@@ -391,6 +391,10 @@ static int session_link_x11_socket(Session *s) {
|
|
return -ENOENT;
|
|
}
|
|
|
|
+ /* Note that this cannot be in a subdir to avoid
|
|
+ * vulnerabilities since we are privileged but the runtime
|
|
+ * path is owned by the user */
|
|
+
|
|
t = strappend(s->user->runtime_path, "/X11-display");
|
|
if (!t) {
|
|
log_error("Out of memory");
|
|
--
|
|
1.7.7
|
|
|