← Back to branch summary

~sbeattie/gdm/CVE-2011-0727-lp746053

« back to all changes in this revision

Viewing changes to debian/patches/42_CVE-2011-0727.patch

  • Committer: Steve Beattie
  • Date: 2011-03-31 22:41:31 UTC
  • Revision ID: sbeattie@ubuntu.com-20110331224131-ntk41ifp3sd0em9z
* SECURITY UPDATE: race condition allowing privilege escalation
  - debian/patches/42_CVE-2011-0727.patch: fix
    daemon/gdm-session-worker.c to copy files as session user rather
    than root followed by a subsequent chown. (LP: #746053)
  - CVE-2011-0727

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/42_CVE-2011-0727.patch
 
1
From f2eb8e2b25844d6964129e0232e022995e27e11f Mon Sep 17 00:00:00 2001
 
2
From: Ray Strode <rstrode@redhat.com>
 
3
Date: Thu, 24 Mar 2011 20:47:37 +0000
 
4
Subject: worker: CVE-2011-0727: change to user before copying user files
 
5
 
 
6
This commit changes to a user before copying user files to prevent
 
7
a possible symlink local root exploit attack.
 
8
 
 
9
[Ubuntu note: natty patch refreshed against 2.32.0-0ubuntu12
 
10
 -- sbeattie]
 
11
 
 
12
---
 
13
 daemon/gdm-session-worker.c |   29 +++++++++++++++++------------
 
14
 1 file changed, 17 insertions(+), 12 deletions(-)
 
15
 
 
16
Index: b/daemon/gdm-session-worker.c
 
17
===================================================================
 
18
--- a/daemon/gdm-session-worker.c
 
19
+++ b/daemon/gdm-session-worker.c
 
20
@@ -1035,17 +1035,6 @@ gdm_cache_copy_file (GdmSessionWorker *w
 
21
                                    error->message);
 
22
                         g_error_free (error);
 
23
                  } else {
 
24
-                         int res;
 
25
-
 
26
-                         res = chown (cachefilename,
 
27
-                                      worker->priv->uid,
 
28
-                                      worker->priv->gid);
 
29
-                         if (res == -1) {
 
30
-                                 g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
 
31
-                                            g_strerror (errno));
 
32
-                         }
 
33
-
 
34
-                        g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 
35
                         g_debug ("Copy successful");
 
36
                 }
 
37
 
 
38
@@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (Gdm
 
39
                 return;
 
40
 
 
41
         if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
 
42
-                gdm_session_worker_cache_userfiles (worker);
 
43
+                pid_t pid;
 
44
+
 
45
+                pid = fork ();
 
46
+
 
47
+                if (pid == 0) {
 
48
+                        if (setuid (worker->priv->uid) < 0) {
 
49
+                                g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
 
50
+                                _exit (1);
 
51
+                        }
 
52
+
 
53
+                        gdm_session_worker_cache_userfiles (worker);
 
54
+                        _exit (0);
 
55
+                }
 
56
+
 
57
+                if (pid > 0) {
 
58
+                        gdm_wait_on_pid (pid);
 
59
+                }
 
60
                 pam_close_session (worker->priv->pam_handle, 0);
 
61
                 gdm_session_auditor_report_logout (worker->priv->auditor);
 
62