Bug 1417828

Summary: The return value from the call to 'setreuid' is not checked.
Product: [Fedora] Fedora Reporter: Josef Ridky <jridky>
Component: amandaAssignee: Josef Ridky <jridky>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: fedora, jridky, j, phracek, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: amanda-3.4.2-1.fc24 amanda-3.4.2-1.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1417830 (view as bug list) Environment:
Last Closed: 2017-02-15 20:50:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1417830    
Attachments:
Description Flags
upstream patch none

Description Josef Ridky 2017-01-31 08:14:55 UTC 
Created attachment 1246112 [details]
upstream patch

Description of problem:
The return value from the call to 'setreuid' is not checked. If an error occurs in 'setreuid', the following code may execute with unexpected privileges

Version-Release number of selected component (if applicable):
3.3.3 - 3.4.1

Additional info:
Located in common-src/krb5-security.c:393:5
This issue has been reported to upstream. Upstream fix is attached.
Comment 1 Jason Tibbitts 2017-01-31 17:36:07 UTC 
Note that the patch has been upstreamed in 3.4.2, which I have already built in rawhide.
Comment 2 Fedora Update System 2017-02-01 14:56:18 UTC 
amanda-3.4.2-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ec1e93b61f
Comment 3 Fedora Update System 2017-02-01 14:56:42 UTC 
amanda-3.4.2-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5fcf946acc
Comment 4 Fedora Update System 2017-02-01 22:48:29 UTC 
amanda-3.4.2-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5fcf946acc
Comment 5 Fedora Update System 2017-02-01 23:52:17 UTC 
amanda-3.4.2-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ec1e93b61f
Comment 6 Fedora Update System 2017-02-15 20:50:53 UTC 
amanda-3.4.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2017-02-15 20:53:11 UTC 
amanda-3.4.2-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.