diff options
| author |   Matthew Thode <prometheanfire@gentoo.org> | 2013-12-11 03:19:54 +0000 |
|---|---|---|
| committer | Matthew Thode <prometheanfire@gentoo.org> | 2013-12-11 03:19:54 +0000 |
| commit | 1b2f9d17383786da5a6a176b6c0d84b6611994fd (patch) | |
| tree | 563c97f6031aebd80ef72966c67466ad4f931393 /app-admin/augeas/files | |
| parent | fix for traceback doc'd in bug 493122 (diff) | |
| download | gentoo-2-1b2f9d17383786da5a6a176b6c0d84b6611994fd.tar.gz gentoo-2-1b2f9d17383786da5a6a176b6c0d84b6611994fd.tar.bz2 gentoo-2-1b2f9d17383786da5a6a176b6c0d84b6611994fd.zip | |
initial fix for bug 492528 CVE-2012-{0786,0787,6607}
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 0x2471eb3e40ac5ac3)
Diffstat (limited to 'app-admin/augeas/files')
| -rw-r--r-- | app-admin/augeas/files/cve-bunch-of-them-symlink.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/app-admin/augeas/files/cve-bunch-of-them-symlink.patch b/app-admin/augeas/files/cve-bunch-of-them-symlink.patch new file mode 100644 index 000000000000..3bd1d95ae42d --- /dev/null +++ b/app-admin/augeas/files/cve-bunch-of-them-symlink.patch @@ -0,0 +1,76 @@ +From 051c73a9a7ffe9e525f6f0a1b8f5198ff8cc6752 Mon Sep 17 00:00:00 2001 +From: Dominic Cleal <dcleal@redhat.com> +Date: Sat, 11 Aug 2012 20:39:14 +0100 +Subject: [PATCH] Fix regression in permissions of created files + +Commit 16387744 changed temporary file creation to use mkstemp, resulting in +new files being created with 0600 permissions. For brand new files created +through Augeas, their permissions stayed at 0600 rather than being set by the +umask as before. + + * src/transform.c (transform_save): chmod after creating new files to + permissions implied by the umask +--- + src/transform.c | 10 ++++++++++ + tests/test-preserve.sh | 15 ++++++++++++++- + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/src/transform.c b/src/transform.c +index a3acd10..1ca3d5f 100644 +--- a/src/transform.c ++++ b/src/transform.c +@@ -1096,6 +1096,16 @@ int transform_save(struct augeas *aug, struct tree *xfm, + err_status = "xfer_attrs"; + goto done; + } ++ } else { ++ /* Since mkstemp is used, the temp file will have secure permissions ++ * instead of those implied by umask, so change them for new files */ ++ mode_t curumsk = umask(022); ++ umask(curumsk); ++ ++ if (fchmod(fileno(fp), 0666 - curumsk) < 0) { ++ err_status = "create_chmod"; ++ return -1; ++ } + } + + if (tree != NULL) +diff --git a/tests/test-preserve.sh b/tests/test-preserve.sh +index 042dab9..9719ac6 100755 +--- a/tests/test-preserve.sh ++++ b/tests/test-preserve.sh +@@ -59,9 +59,12 @@ if [ $selinux = yes -a xetc_t != "x$act_con" ] ; then + exit 1 + fi + +-# Check that we create new files without error ++# Check that we create new files without error and with permissions implied ++# from the umask + init_dirs + ++oldumask=$(umask) ++umask 0002 + $AUGTOOL > /dev/null <<EOF + set /files/etc/hosts/1/ipaddr 127.0.0.1 + set /files/etc/hosts/1/canonical host.example.com +@@ -71,6 +74,16 @@ if [ $? != 0 ] ; then + echo "augtool failed on new file" + exit 1 + fi ++if [ ! -e $hosts ]; then ++ echo "augtool didn't create new /etc/hosts file" ++ exit 1 ++fi ++act_mode=$(ls -l $hosts | cut -b 1-10) ++if [ x-rw-rw-r-- != "x$act_mode" ] ; then ++ echo "Expected mode 0664 due to $(umask) umask but got $act_mode" ++ exit 1 ++fi ++umask $oldumask + + # Check that we create new files without error when backups are requested + init_dirs +-- +1.8.5.1 + |