pull patch from openbsd Errata 033:

A security hole exists in uucp(1), uux(1) and uuxqt(1) that may allow an attacker on the local machine to run arbitrary commands with root privileges. Fix: Pay more attention to commandline parsing of long options. Patch from jbj@redhat.com via millert@.
2001-09-12 07:51:03 +00:00 · 2001-09-12 07:51:03 +00:00 · 1f8d9cbdd1
commit 1f8d9cbdd1
parent 044635794c
1 changed files with 39 additions and 1 deletions
--- a/gnu/libexec/uucp/uuxqt/uuxqt.c
+++ b/gnu/libexec/uucp/uuxqt/uuxqt.c
@ -26,7 +26,7 @@
 #include "uucp.h"

 #if USE_RCS_ID
-const char uuxqt_rcsid[] = "$Id: uuxqt.c,v 1.3 1995/08/24 05:23:43 jtc Exp $";
+const char uuxqt_rcsid[] = "$Id: uuxqt.c,v 1.4 2001/09/12 07:51:03 itojun Exp $";
 #endif

 #include <errno.h>
@ -928,6 +928,44 @@ uqdo_xqt_file (puuconf, zfile, zbase, qsys, zlocalname, zcmd, pfprocessed)
 	 don't permit multiple arguments.  */
      for (i = 1; azQargs[i] != NULL; i++)
 	{
+	  if (azQargs[i][0] == '-' && azQargs[i][1] == '-')
+	    {
+		char *zopts = azQargs[i] + 2;
+
+		/* The -g, -n, and -s options take an argument.  */
+		if (!strncmp(zopts, "grade", 5) && zopts[5] != '=')
+		  {
+		    if (azQargs[i+1] != NULL)
+		      ++i;
+		  }
+		if (!(strncmp(zopts, "notify", 6)
+		&&    strncmp(zopts, "status", 6)) && zopts[6] != '=')
+		  {
+		    if (azQargs[i+1] != NULL)
+		      ++i;
+		  }
+
+		/* The -I, -u and -x options are not permitted.  */
+		if (!strncmp(zopts, "config", 6))
+		  {
+		    if (zopts[6] != '=' && azQargs[i+1] != NULL)
+		      ++i;
+		    azQargs[i] = zbufcpy ("--nouucico");
+		  }
+		if (!strncmp(zopts, "user", 4))
+		  {
+		    if (zopts[4] != '=' && azQargs[i+1] != NULL)
+		      ++i;
+		    azQargs[i] = zbufcpy ("--nouucico");
+		  }
+		if (!strncmp(zopts, "debug", 5))
+		  {
+		    if (zopts[5] != '=' && azQargs[i+1] != NULL)
+		      ++i;
+		    azQargs[i] = zbufcpy ("--nouucico");
+		  }
+	    }
+	  else
 	  if (azQargs[i][0] == '-')
 	    {
 	      char *zopts;