diff -u -r heimdal-0.7.2/appl/dceutils/ChangeLog heimdal-0.7.2-setuid/appl/dceutils/ChangeLog --- heimdal-0.7.2/appl/dceutils/ChangeLog 2005-04-06 13:23:17.000000000 +0200 +++ heimdal-0.7.2-setuid/appl/dceutils/ChangeLog 2006-08-31 14:49:15.000000000 +0200 @@ -1,5 +1,9 @@ -2005-04-06 Love Hörnquist Åstrand +2006-08-08 Love Hörnquist Åstrand + * k5dcecon.c: Check for seteuid failure, prompted by MIT advisory. + +2005-04-06 Love Hörnquist Åstrand + * testpag.c: use NULL as last argument to execl, not 0 2002-08-12 Johan Danielsson diff -u -r heimdal-0.7.2/appl/dceutils/k5dcecon.c heimdal-0.7.2-setuid/appl/dceutils/k5dcecon.c --- heimdal-0.7.2/appl/dceutils/k5dcecon.c 2002-08-09 15:19:41.000000000 +0200 +++ heimdal-0.7.2-setuid/appl/dceutils/k5dcecon.c 2006-08-31 14:49:15.000000000 +0200 @@ -71,7 +71,7 @@ #endif #ifdef __hpux -#define seteuid(A) setresuid(-1,A,-1); +#define seteuid(A) setresuid(-1,A,-1) #endif @@ -549,7 +549,8 @@ */ if (uid == 0) { - seteuid(luid); + if (seteuid(luid) < 0) + goto abort; } cp = strchr(pname,'@'); diff -u -r heimdal-0.7.2/appl/ftp/ChangeLog heimdal-0.7.2-setuid/appl/ftp/ChangeLog --- heimdal-0.7.2/appl/ftp/ChangeLog 2005-05-29 23:42:45.000000000 +0200 +++ heimdal-0.7.2-setuid/appl/ftp/ChangeLog 2006-08-31 14:49:15.000000000 +0200 @@ -1,3 +1,9 @@ +2006-08-08 Love Hörnquist Åstrand + + * rcp.c: Check return values from seteuid, prompted by MIT + advisory. Thanks to Tom Yu at MIT, and Michael Calmer and Marcus + Meissner at SUSE. Either of CVE-2006-3083 or CVE-2006-3084. + 2005-05-29 Love Hörnquist Åstrand * ftpd/ftpd.c: avoid 'unused variable' warnings diff -u -r heimdal-0.7.2/appl/ftp/ftpd/ftpd.c heimdal-0.7.2-setuid/appl/ftp/ftpd/ftpd.c --- heimdal-0.7.2/appl/ftp/ftpd/ftpd.c 2005-06-02 12:41:28.000000000 +0200 +++ heimdal-0.7.2-setuid/appl/ftp/ftpd/ftpd.c 2006-08-31 14:49:15.000000000 +0200 @@ -138,9 +138,9 @@ static int checkuser (char *, char *); static int checkaccess (char *); static FILE *dataconn (const char *, off_t, const char *); -static void dolog (struct sockaddr *sa, int len); +static void dolog (struct sockaddr *, int); static void end_login (void); -static FILE *getdatasock (const char *); +static FILE *getdatasock (const char *, int); static char *gunique (char *); static RETSIGTYPE lostconn (int); static int receive_data (FILE *, FILE *); @@ -835,7 +835,8 @@ end_login(void) { - seteuid((uid_t)0); + if (seteuid((uid_t)0) < 0) + fatal("Failed to seteuid"); if (logged_in) ftpd_logwtmp(ttyline, "", ""); pw = NULL; @@ -1208,14 +1209,15 @@ } static FILE * -getdatasock(const char *mode) +getdatasock(const char *mode, int domain) { int s, t, tries; if (data >= 0) return (fdopen(data, mode)); - seteuid(0); - s = socket(ctrl_addr->sa_family, SOCK_STREAM, 0); + if (seteuid(0) < 0) + fatal("Failed to seteuid"); + s = socket(domain, SOCK_STREAM, 0); if (s < 0) goto bad; socket_set_reuseaddr (s, 1); @@ -1232,7 +1234,8 @@ goto bad; sleep(tries); } - seteuid(pw->pw_uid); + if (seteuid(pw->pw_uid) < 0) + fatal("Failed to seteuid"); #ifdef IPTOS_THROUGHPUT socket_set_tos (s, IPTOS_THROUGHPUT); #endif @@ -1240,7 +1243,8 @@ bad: /* Return the real value of errno (close may change it) */ t = errno; - seteuid((uid_t)pw->pw_uid); + if (seteuid((uid_t)pw->pw_uid) < 0) + fatal("Failed to seteuid"); close(s); errno = t; return (NULL); @@ -1271,7 +1275,7 @@ { char sizebuf[32]; FILE *file; - int retry = 0; + int domain, retry = 0; file_size = size; byte_count = 0; @@ -1318,7 +1322,15 @@ if (usedefault) data_dest = his_addr; usedefault = 1; - file = getdatasock(mode); + /* + * Default to using the same socket type as the ctrl address, + * unless we know the type of the data address. + */ + domain = data_dest->sa_family; + if (domain == PF_UNSPEC) + domain = ctrl_addr->sa_family; + + file = getdatasock(mode, domain); if (file == NULL) { char data_addr[256]; @@ -1889,11 +1901,11 @@ transflag = 0; urgflag = 0; if (logged_in) { - seteuid((uid_t)0); - ftpd_logwtmp(ttyline, "", ""); #ifdef KRB4 cond_kdestroy(); #endif + seteuid((uid_t)0); /* No need to check, we call exit() below */ + ftpd_logwtmp(ttyline, "", ""); } /* beware of flushing buffers after a SIGPIPE */ #ifdef XXX @@ -2006,12 +2018,15 @@ 0); socket_set_portrange(pdata, restricted_data_ports, pasv_addr->sa_family); - seteuid(0); + if (seteuid(0) < 0) + fatal("Failed to seteuid"); if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { - seteuid(pw->pw_uid); + if (seteuid(pw->pw_uid) < 0) + fatal("Failed to seteuid"); goto pasv_error; } - seteuid(pw->pw_uid); + if (seteuid(pw->pw_uid) < 0) + fatal("Failed to seteuid"); len = sizeof(pasv_addr_ss); if (getsockname(pdata, pasv_addr, &len) < 0) goto pasv_error; @@ -2050,12 +2065,15 @@ 0); socket_set_portrange(pdata, restricted_data_ports, pasv_addr->sa_family); - seteuid(0); + if (seteuid(0) < 0) + fatal("Failed to seteuid"); if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { - seteuid(pw->pw_uid); + if (seteuid(pw->pw_uid)) + fatal("Failed to seteuid"); goto pasv_error; } - seteuid(pw->pw_uid); + if (seteuid(pw->pw_uid) < 0) + fatal("Failed to seteuid"); len = sizeof(pasv_addr_ss); if (getsockname(pdata, pasv_addr, &len) < 0) goto pasv_error; diff -u -r heimdal-0.7.2/appl/rcp/rcp.c heimdal-0.7.2-setuid/appl/rcp/rcp.c --- heimdal-0.7.2/appl/rcp/rcp.c 2005-05-11 13:04:30.000000000 +0200 +++ heimdal-0.7.2-setuid/appl/rcp/rcp.c 2006-08-31 14:49:15.000000000 +0200 @@ -119,13 +119,15 @@ if (fflag) { /* Follow "protocol", send data. */ response(); - setuid(userid); + if (setuid(userid) < 0) + errx(1, "setuid failed"); source(argc, argv); exit(errs); } if (tflag) { /* Receive data. */ - setuid(userid); + if (setuid(userid) < 0) + errx(1, "setuid failed"); sink(argc, argv); exit(errs); } @@ -221,7 +223,8 @@ if (response() < 0) exit(1); free(bp); - setuid(userid); + if (setuid(userid) < 0) + errx(1, "setuid failed"); } source(1, argv+i); } @@ -270,7 +273,8 @@ } free(bp); sink(1, argv + argc - 1); - seteuid(0); + if (seteuid(0) < 0) + exit(1); close(remin); remin = remout = -1; } diff -u -r heimdal-0.7.2/appl/rcp/util.c heimdal-0.7.2-setuid/appl/rcp/util.c --- heimdal-0.7.2/appl/rcp/util.c 2005-04-18 09:52:58.000000000 +0200 +++ heimdal-0.7.2-setuid/appl/rcp/util.c 2006-08-31 14:49:15.000000000 +0200 @@ -112,7 +112,8 @@ return (127); case 0: - (void)setuid(userid); + if (setuid(userid) < 0) + _exit(127); execl(_PATH_BSHELL, "sh", "-c", s, NULL); _exit(127); } diff -u -r heimdal-0.7.2/lib/roken/iruserok.c heimdal-0.7.2-setuid/lib/roken/iruserok.c --- heimdal-0.7.2/lib/roken/iruserok.c 2005-04-12 13:28:54.000000000 +0200 +++ heimdal-0.7.2-setuid/lib/roken/iruserok.c 2006-08-31 14:49:15.000000000 +0200 @@ -250,7 +250,8 @@ * are protected read/write owner only. */ uid = geteuid(); - seteuid(pwd->pw_uid); + if (seteuid(pwd->pw_uid) < 0) + return (-1); hostf = fopen(pbuf, "r"); seteuid(uid);