fix local privilege escalation due to a race condition
NetBSD-SA2016-006 included an incomplete fix for CVE-2016-6253, a local privilege escalation vulnerability in mail.local(8). mail.local(8) attempts to open(2) a user's existing mailbox file to append to it. If that call fails, mail.local(8) will then issue a second open(2) call to create the file (O_CREAT). An attacker had the opportunity to create the file in question (as a symlink, or link to some other file) in between these two open(2) calls. Fix this by using O_EXCL in the 2nd open call, if the file exists when that one happens, something is going wrong, so just abort. Also, only attempt that 2nd open if the reason the first failed was that the file did not exist (this doesn't fix the issue, but it potentially saves some cycles). Thanks to Jan Schaumann for bringing this to our attention.
This commit is contained in:
parent
46bb8fc46d
commit
b17b839ae3
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: mail.local.c,v 1.28 2016/07/21 12:29:37 shm Exp $ */
|
||||
/* $NetBSD: mail.local.c,v 1.29 2022/05/17 11:18:58 kre Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1990, 1993, 1994
|
||||
|
@ -36,7 +36,7 @@ __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\
|
|||
#if 0
|
||||
static char sccsid[] = "@(#)mail.local.c 8.22 (Berkeley) 6/21/95";
|
||||
#else
|
||||
__RCSID("$NetBSD: mail.local.c,v 1.28 2016/07/21 12:29:37 shm Exp $");
|
||||
__RCSID("$NetBSD: mail.local.c,v 1.29 2022/05/17 11:18:58 kre Exp $");
|
||||
#endif
|
||||
#endif /* not lint */
|
||||
|
||||
|
@ -217,11 +217,12 @@ deliver(int fd, char *name, int lockfile)
|
|||
return(EX_OSERR);
|
||||
}
|
||||
|
||||
if ((mbfd = open(path, O_APPEND|O_WRONLY|O_EXLOCK,
|
||||
if ((mbfd = open(path, O_APPEND|O_WRONLY|O_EXLOCK|O_NOFOLLOW,
|
||||
S_IRUSR|S_IWUSR)) == -1) {
|
||||
/* create file */
|
||||
if ((mbfd = open(path, O_APPEND|O_CREAT|O_WRONLY|O_EXLOCK,
|
||||
S_IRUSR|S_IWUSR)) == -1) {
|
||||
if (errno != ENOENT ||
|
||||
(mbfd = open(path, O_APPEND|O_CREAT|O_WRONLY|O_EXLOCK|O_EXCL,
|
||||
S_IRUSR|S_IWUSR)) == -1) {
|
||||
logwarn("%s: %s", path, strerror(errno));
|
||||
rval = EX_OSERR;
|
||||
goto bad;
|
||||
|
|
Loading…
Reference in New Issue