systemd/0001-util-never-follow-symlinks-in-rm_rf_children.patch
Frederic Crozat 6e44a61417 - Update fixppc.patch with upstream patches
- Add comments from upstream in
  0001-util-never-follow-symlinks-in-rm_rf_children.patch.
- Add logind-logout.patch: it should fix sudo / su with pam_systemd
  (bnc#746704).

OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=263
2012-03-22 08:55:35 +00:00

60 lines
2.1 KiB
Diff

From 5ebff5337594d690b322078c512eb222d34aaa82 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Fri, 2 Mar 2012 10:39:10 +0100
Subject: [PATCH] util: never follow symlinks in rm_rf_children()
The function checks if the entry is a directory before recursing, but
there is a window between the check and the open, during which the
directory could be replaced with a symlink.
CVE-2012-1174
https://bugzilla.redhat.com/show_bug.cgi?id=803358
---
src/util.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/util.c b/src/util.c
index 20cbc2b..dfc1dc6 100644
--- a/src/util.c
+++ b/src/util.c
@@ -3593,7 +3593,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) {
if (is_dir) {
int subdir_fd;
- if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) {
+ subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW);
+ if (subdir_fd < 0) {
if (ret == 0 && errno != ENOENT)
ret = -errno;
continue;
--
1.7.7
From c9d8629baa09f853fbcc44972c9748e70562270c Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 22 Mar 2012 01:43:36 +0100
Subject: [PATCH] logind: extend comment about X11 socket symlink
---
src/login/logind-session.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/src/login/logind-session.c b/src/login/logind-session.c
index af9c12d..4e0af86 100644
--- a/src/login/logind-session.c
+++ b/src/login/logind-session.c
@@ -391,6 +391,10 @@ static int session_link_x11_socket(Session *s) {
return -ENOENT;
}
+ /* Note that this cannot be in a subdir to avoid
+ * vulnerabilities since we are privileged but the runtime
+ * path is owned by the user */
+
t = strappend(s->user->runtime_path, "/X11-display");
if (!t) {
log_error("Out of memory");
--
1.7.7