Репозитории ALT
S: | 4.96-alt1 |
5.1: | 4.76-alt0.M50P.1 |
4.1: | 4.69-alt1.M41.3 |
4.0: | 4.67-alt1 |
3.0: | 4.51-alt1 |
Группа :: Система/Серверы
Пакет: exim
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: exim-4.69-CVE.patch
Скачать
Скачать
--- exim-4.71/src/transports/appendfile.c.orig 2010-05-09 15:54:02.000000000 -0400
+++ exim-4.71/src/transports/appendfile.c 2010-05-09 16:38:54.000000000 -0400
@@ -1806,6 +1806,18 @@
goto RETURN;
}
+ /* Just in case this is a sticky-bit mail directory, we don't want
+ users to be able to create hard links to other users' files. */
+
+ if (statbuf.st_nlink != 1)
+ {
+ addr->basic_errno = ERRNO_NOTREGULAR;
+ addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
+ filename, islink? " (symlink)" : "", statbuf.st_nlink);
+ goto RETURN;
+
+ }
+
/* If symlinks are permitted (not recommended), the lstat() above will
have found the symlink. Its ownership has just been checked; go round
the loop again, using stat() instead of lstat(). That will never yield a
@@ -2005,8 +2017,25 @@
sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
(long)statbuf.st_ino);
- if (Ulstat(mbx_lockname, &statbuf) >= 0)
+ /* First, attempt to open the file without O_CREAT, and call
+ fstat() to check if it's a hard link or symlink. If this
+ open() fails because the lockfile does not already exist,
+ then we can safely try again using O_CREAT | O_EXCL. If
+ this fails, something fishy is going on. This way, the
+ chmod() call is safe, because we're guaranteed that the
+ lockfile is not a symlink or hard link. We assume /tmp
+ has a sticky-bit, so there's no potential for a race condition
+ once the file has been properly created. */
+ mbx_lockfd = Uopen(mbx_lockname, O_RDWR, ob->lockfile_mode);
+ if (mbx_lockfd >= 0)
{
+ if (fstat(mbx_lockfd, &statbuf))
+ {
+ addr->basic_errno = ERRNO_LOCKFAILED;
+ addr->message = string_sprintf("fstat failed on MBX lock file %s",
+ mbx_lockname);
+ goto RETURN;
+ }
if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
{
addr->basic_errno = ERRNO_LOCKFAILED;
@@ -2023,15 +2052,18 @@
}
}
- mbx_lockfd = Uopen(mbx_lockname, O_RDWR | O_CREAT, ob->lockfile_mode);
- if (mbx_lockfd < 0)
+ /* File did not already exist */
+ else
{
- addr->basic_errno = ERRNO_LOCKFAILED;
- addr->message = string_sprintf("failed to open MBX lock file %s :%s",
- mbx_lockname, strerror(errno));
- goto RETURN;
+ mbx_lockfd = Uopen(mbx_lockname, O_RDWR | O_CREAT | O_EXCL, ob->lockfile_mode);
+ if (mbx_lockfd < 0)
+ {
+ addr->basic_errno = ERRNO_LOCKFAILED;
+ addr->message = string_sprintf("failed to open MBX lock file %s :%s",
+ mbx_lockname, strerror(errno));
+ goto RETURN;
+ }
}
-
(void)Uchmod(mbx_lockname, ob->lockfile_mode);
if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,