xserver: Branch 'server-1.11-branch' - 2 commits
Jeremy Huddleston
jeremyhu at kemper.freedesktop.org
Tue Oct 18 09:25:42 PDT 2011
os/utils.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit 12f65819ffb04103f170ecd7e281348de618fc4c
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Mon Oct 17 22:27:35 2011 +0200
Fix CVE-2011-4029: File permission change vulnerability.
Use fchmod() to change permissions of the lock file instead
of chmod(), thus avoid the race that can be exploited to set
a symbolic link to any file or directory in the system.
Signed-off-by: Matthieu Herrb <matthieu.herrb at laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4)
diff --git a/os/utils.c b/os/utils.c
index 9e0acb6..d9aa65e 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -295,7 +295,7 @@ LockServer(void)
FatalError("Could not create lock file in %s\n", tmp);
(void) sprintf(pid_str, "%10ld\n", (long)getpid());
(void) write(lfd, pid_str, 11);
- (void) chmod(tmp, 0444);
+ (void) fchmod(lfd, 0444);
(void) close(lfd);
/*
commit f80d23357874db19bc124dee70239fb182977883
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Mon Oct 17 22:26:12 2011 +0200
Fix CVE-2011-4028: File disclosure vulnerability.
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
Signed-off-by: Matthieu Herrb <matthieu.herrb at laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34)
diff --git a/os/utils.c b/os/utils.c
index 36cb46f..9e0acb6 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -316,7 +316,7 @@ LockServer(void)
/*
* Read the pid from the existing file
*/
- lfd = open(LockFile, O_RDONLY);
+ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
if (lfd < 0) {
unlink(tmp);
FatalError("Can't read lock file %s\n", LockFile);
More information about the xorg-commit
mailing list