aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGregory Neil Shapiro <gshapiro@FreeBSD.org>2002-10-26 21:11:30 +0000
committerGregory Neil Shapiro <gshapiro@FreeBSD.org>2002-10-26 21:11:30 +0000
commit77bccc254db6cfdc0a6ef89d22a3502dfd23cdf6 (patch)
tree6ab998283c0b839f707d71c6a3043666d5d35c75
parent57f9b3e30a651a88454928698fff35cb39836d9c (diff)
downloadsrc-77bccc254db6cfdc0a6ef89d22a3502dfd23cdf6.tar.gz
src-77bccc254db6cfdc0a6ef89d22a3502dfd23cdf6.zip
MFC: Fix smrsh bypass bug.
Approved by: security-officer
Notes
Notes: svn path=/releng/4.6/; revision=106004
-rw-r--r--UPDATING3
-rw-r--r--contrib/sendmail/smrsh/smrsh.c35
-rw-r--r--sys/conf/newvers.sh2
3 files changed, 39 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index 1d69f8de851b..c8be596402c2 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,9 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20021026: p4
+ smrsh bypass bug.
+
20021023: p3
Correct kadmind buffer overflow.
diff --git a/contrib/sendmail/smrsh/smrsh.c b/contrib/sendmail/smrsh/smrsh.c
index d0613a1cb759..0a6c0486eba8 100644
--- a/contrib/sendmail/smrsh/smrsh.c
+++ b/contrib/sendmail/smrsh/smrsh.c
@@ -58,6 +58,8 @@ SM_IDSTR(id, "@(#)$Id: smrsh.c,v 8.55 2001/09/11 04:05:22 gshapiro Exp $")
#include <sm/io.h>
#include <sm/string.h>
#include <sys/file.h>
+#include <sys/types.h>
+#include <sys/stat.h>
#include <string.h>
#include <ctype.h>
#include <errno.h>
@@ -150,6 +152,7 @@ main(argc, argv)
char cmdbuf[1000];
char pathbuf[1000];
char specialbuf[32];
+ struct stat st;
#ifndef DEBUG
# ifndef LOG_MAIL
@@ -290,6 +293,38 @@ main(argc, argv)
(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
"Trying %s\n", cmdbuf);
#endif /* DEBUG */
+ if (stat(cmdbuf, &st) < 0)
+ {
+ /* can't stat it */
+ (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
+ "%s: %s not available for sendmail programs (stat failed)\n",
+ prg, cmd);
+ if (p != NULL)
+ *p = ' ';
+#ifndef DEBUG
+ syslog(LOG_CRIT, "uid %d: attempt to use %s (stat failed)",
+ (int) getuid(), cmd);
+#endif /* ! DEBUG */
+ exit(EX_UNAVAILABLE);
+ }
+ if (!S_ISREG(st.st_mode)
+#ifdef S_ISLNK
+ && !S_ISLNK(st.st_mode)
+#endif /* S_ISLNK */
+ )
+ {
+ /* can't stat it */
+ (void) sm_io_fprintf(smioerr, SM_TIME_DEFAULT,
+ "%s: %s not available for sendmail programs (not a file)\n",
+ prg, cmd);
+ if (p != NULL)
+ *p = ' ';
+#ifndef DEBUG
+ syslog(LOG_CRIT, "uid %d: attempt to use %s (not a file)",
+ (int) getuid(), cmd);
+#endif /* ! DEBUG */
+ exit(EX_UNAVAILABLE);
+ }
if (access(cmdbuf, X_OK) < 0)
{
/* oops.... crack attack possiblity */
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index c84ccef6a171..0dd27a776122 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.6.2"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"