Attachment 668606 Details for Bug 887010 – proposed patch

[patch] proposed patch

CVE-2012-5638.patch (text/plain), 1.39 KB, created by Martin Quinson on 2012-12-24 21:28:22 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Martin Quinson

Created: 2012-12-24 21:28:22 UTC

Size: 1.39 KB

patch

obsolete

>Initial report (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5638)
>
>| The sanlock server creates the /var/log/sanlock.log world writable
>| allowing any one on the system to wipe the contents of the log file or
>| to store data within the log file (bypassing any quotas applied to
>| their account). The affected code (in src/log.c) is:
>|
>| int setup_logging(void) {
>|	int fd, rv;
>|	snprintf(logfile_path, PATH_MAX, "%s/%s", SANLK_LOG_DIR,
>|	         SANLK_LOGFILE_NAME);
>|	logfile_fp = fopen(logfile_path, "a+");
>
>This patch was proposed by Martin Quinson, but not really tested as I
>don't use sanlock myself. Also, I used 660 as permissions to the file,
>I'm not sure of whether it's sensible or not.
>
>Index: sanlock-2.2/src/log.c
>===================================================================
>--- sanlock-2.2.orig/src/log.c	2012-05-07 17:43:52.000000000 +0200
>+++ sanlock-2.2/src/log.c	2012-12-24 22:19:10.437901274 +0100
>@@ -252,10 +252,12 @@
> 	snprintf(logfile_path, PATH_MAX, "%s/%s", SANLK_LOG_DIR,
> 		 SANLK_LOGFILE_NAME);
> 
>-	logfile_fp = fopen(logfile_path, "a+");
>-	if (logfile_fp) {
>-		fd = fileno(logfile_fp);
>+	fd = open(logfile_path,O_CREAT | O_WRONLY, S_IRUSR|S_IWUSR | S_IRGRP|S_IWGRP);
>+	if (fd != -1) {
> 		fcntl(fd, F_SETFD, fcntl(fd, F_GETFD, 0) | FD_CLOEXEC);
>+		logfile_fp = fdopen(fd, "a+");
>+	} else {
>+		logfile_fp = NULL;
> 	}
> 
> 	log_ents = malloc(log_num_ents * sizeof(struct entry));

Actions: View | Diff

Attachments on bug 887010: 668606