|
|
5de29b |
#
|
|
|
5de29b |
# EMARGOED!!! -- EMBARGOED!!! -- EMBARGOED!!!
|
|
|
5de29b |
# EMARGOED!!! -- EMBARGOED!!! -- EMBARGOED!!!
|
|
|
5de29b |
# EMARGOED!!! -- EMBARGOED!!! -- EMBARGOED!!!
|
|
|
5de29b |
# Release date is RHEL 7.1 RC.
|
|
|
5de29b |
# CVE-2014-8121:
|
|
|
5de29b |
# Unexpected closing of nss_files databases after lookups causes denial of service
|
|
|
5de29b |
# EMARGOED!!! -- EMBARGOED!!! -- EMBARGOED!!!
|
|
|
5de29b |
# EMARGOED!!! -- EMBARGOED!!! -- EMBARGOED!!!
|
|
|
5de29b |
# EMARGOED!!! -- EMBARGOED!!! -- EMBARGOED!!!
|
|
|
5de29b |
#
|
|
|
5de29b |
diff -up glibc-2.17-c758a686/nss/Makefile.rh1165192 glibc-2.17-c758a686/nss/Makefile
|
|
|
5de29b |
--- glibc-2.17-c758a686/nss/Makefile.rh1165192 2015-01-14 21:22:57.558006945 +0100
|
|
|
5de29b |
+++ glibc-2.17-c758a686/nss/Makefile 2015-01-14 21:44:59.657777124 +0100
|
|
|
5de29b |
@@ -38,7 +38,7 @@ install-bin := getent makedb
|
|
|
5de29b |
makedb-modules = xmalloc hash-string
|
|
|
5de29b |
extra-objs += $(makedb-modules:=.o)
|
|
|
5de29b |
|
|
|
f57669 |
-tests = test-netdb tst-nss-test1 bug17079
|
|
|
f57669 |
+tests = test-netdb tst-nss-test1 bug17079 tst-nss-getpwent
|
|
|
5de29b |
xtests = bug-erange
|
|
|
5de29b |
|
|
|
5de29b |
include ../Makeconfig
|
|
|
5de29b |
diff -up glibc-2.17-c758a686/nss/nss_files/files-XXX.c.rh1165192 glibc-2.17-c758a686/nss/nss_files/files-XXX.c
|
|
|
5de29b |
--- glibc-2.17-c758a686/nss/nss_files/files-XXX.c.rh1165192 2015-01-14 21:22:14.630721754 +0100
|
|
|
5de29b |
+++ glibc-2.17-c758a686/nss/nss_files/files-XXX.c 2015-01-14 21:22:15.072725814 +0100
|
|
|
5de29b |
@@ -135,7 +135,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stay
|
|
|
5de29b |
|
|
|
5de29b |
__libc_lock_lock (lock);
|
|
|
5de29b |
|
|
|
5de29b |
- status = internal_setent (stayopen);
|
|
|
5de29b |
+ status = internal_setent (1);
|
|
|
5de29b |
|
|
|
5de29b |
if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
|
|
|
5de29b |
{
|
|
|
5de29b |
diff -up glibc-2.17-c758a686/nss/tst-nss-getpwent.c.rh1165192 glibc-2.17-c758a686/nss/tst-nss-getpwent.c
|
|
|
5de29b |
--- glibc-2.17-c758a686/nss/tst-nss-getpwent.c.rh1165192 2015-01-14 21:23:50.003236107 +0100
|
|
|
5de29b |
+++ glibc-2.17-c758a686/nss/tst-nss-getpwent.c 2015-01-14 21:46:39.912194368 +0100
|
|
|
5de29b |
@@ -0,0 +1,116 @@
|
|
|
5de29b |
+/* Copyright (C) 2015 Free Software Foundation, Inc.
|
|
|
5de29b |
+ This file is part of the GNU C Library.
|
|
|
5de29b |
+
|
|
|
5de29b |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
5de29b |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
5de29b |
+ License as published by the Free Software Foundation; either
|
|
|
5de29b |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
5de29b |
+
|
|
|
5de29b |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
5de29b |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
5de29b |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
5de29b |
+ Lesser General Public License for more details.
|
|
|
5de29b |
+
|
|
|
5de29b |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
5de29b |
+ License along with the GNU C Library; if not, see
|
|
|
5de29b |
+ <http://www.gnu.org/licenses/>. */
|
|
|
5de29b |
+
|
|
|
5de29b |
+#include <pwd.h>
|
|
|
5de29b |
+#include <stdbool.h>
|
|
|
5de29b |
+#include <stdio.h>
|
|
|
5de29b |
+#include <stdlib.h>
|
|
|
5de29b |
+#include <string.h>
|
|
|
5de29b |
+
|
|
|
5de29b |
+int
|
|
|
5de29b |
+do_test (void)
|
|
|
5de29b |
+{
|
|
|
5de29b |
+ /* Count the number of entries in the password database, and fetch
|
|
|
5de29b |
+ data from the first and last entries. */
|
|
|
5de29b |
+ size_t count = 0;
|
|
|
5de29b |
+ struct passwd * pw;
|
|
|
5de29b |
+ char *first_name = NULL;
|
|
|
5de29b |
+ uid_t first_uid = 0;
|
|
|
5de29b |
+ char *last_name = NULL;
|
|
|
5de29b |
+ uid_t last_uid = 0;
|
|
|
5de29b |
+ setpwent ();
|
|
|
5de29b |
+ while ((pw = getpwent ()) != NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ if (first_name == NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ first_name = strdup (pw->pw_name);
|
|
|
5de29b |
+ if (first_name == NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("strdup: %m\n");
|
|
|
5de29b |
+ return 1;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ first_uid = pw->pw_uid;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+
|
|
|
5de29b |
+ free (last_name);
|
|
|
5de29b |
+ last_name = strdup (pw->pw_name);
|
|
|
5de29b |
+ if (last_name == NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("strdup: %m\n");
|
|
|
5de29b |
+ return 1;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ last_uid = pw->pw_uid;
|
|
|
5de29b |
+ ++count;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ endpwent ();
|
|
|
5de29b |
+
|
|
|
5de29b |
+ if (count == 0)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("No entries in the password database.\n");
|
|
|
5de29b |
+ return 0;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+
|
|
|
5de29b |
+ /* Try again, this time interleaving with name-based and UID-based
|
|
|
5de29b |
+ lookup operations. The counts do not match if the interleaved
|
|
|
5de29b |
+ lookups affected the enumeration. */
|
|
|
5de29b |
+ size_t new_count = 0;
|
|
|
5de29b |
+ setpwent ();
|
|
|
5de29b |
+ while ((pw = getpwent ()) != NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ if (new_count == count)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("Additional entry in the password database.\n");
|
|
|
5de29b |
+ return 1;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ ++new_count;
|
|
|
5de29b |
+ struct passwd *pw2 = getpwnam (first_name);
|
|
|
5de29b |
+ if (pw2 == NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("getpwnam (%s) failed: %m\n", first_name);
|
|
|
5de29b |
+ return 1;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ pw2 = getpwnam (last_name);
|
|
|
5de29b |
+ if (pw2 == NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("getpwnam (%s) failed: %m\n", last_name);
|
|
|
5de29b |
+ return 1;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ pw2 = getpwuid (first_uid);
|
|
|
5de29b |
+ if (pw2 == NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("getpwuid (%llu) failed: %m\n", (unsigned long long) first_uid);
|
|
|
5de29b |
+ return 1;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ pw2 = getpwuid (last_uid);
|
|
|
5de29b |
+ if (pw2 == NULL)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("getpwuid (%llu) failed: %m\n", (unsigned long long) last_uid);
|
|
|
5de29b |
+ return 1;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+ endpwent ();
|
|
|
5de29b |
+ if (new_count < count)
|
|
|
5de29b |
+ {
|
|
|
5de29b |
+ printf ("Missing entry in the password database.\n");
|
|
|
5de29b |
+ return 1;
|
|
|
5de29b |
+ }
|
|
|
5de29b |
+
|
|
|
5de29b |
+ return 0;
|
|
|
5de29b |
+}
|
|
|
5de29b |
+
|
|
|
5de29b |
+#define TEST_FUNCTION do_test ()
|
|
|
5de29b |
+#include "../test-skeleton.c"
|