Bug#225692: dpkg: Allows users to stash away vulnerable versions of setuid binaries
Here's a patch that just copies the code from main/remove.c which is
known to work.
Scott
--
Have you ever, ever felt like this?
Had strange things happen? Are you going round the twist?
Index: main/processarc.c
===================================================================
--- main/processarc.c (revision 1839)
+++ main/processarc.c (revision 1840)
@@ -639,6 +639,20 @@
} else
debug(dbg_eachfile, "process_archive: could not stat %s, skipping", fnamevb.buf);
if (donotrm) continue;
+ {
+ /*
+ * If file to remove is a device or s[gu]id, change its mode
+ * so that a malicious user cannot use it even if it's linked
+ * to another file.
+ */
+ struct stat stat_buf;
+ if (stat(fnamevb.buf,&stat_buf)==0) {
+ if (S_ISCHR(stat_buf.st_mode) || S_ISBLK(stat_buf.st_mode))
+ chmod(fnamevb.buf, 0);
+ if (stat_buf.st_mode & (S_ISUID|S_ISGID))
+ chmod(fnamevb.buf, stat_buf.st_mode & ~(S_ISUID|S_ISGID));
+ }
+ }
if (!unlink(fnamevb.buf)) continue;
if (errno == ENOTDIR) continue;
}
Index: ChangeLog
===================================================================
--- ChangeLog (revision 1839)
+++ ChangeLog (revision 1840)
@@ -1,3 +1,11 @@
+Thu Feb 26 01:48:15 GMT 2004 Scott James Remnant <scott@netsplit.com>
+
+ * main/processarc.c (process_archive): Copy code from main/remove.c
+ to ensure that hardlinks to devices, setuid files or setgid files
+ cannot be stashed away in the hope that they become compromisable
+ in the future. This was handled when removing a package, but not
+ when upgrading one.
+
Thu Feb 26 01:23:13 GMT 2004 Scott James Remnant <scott@netsplit.com>
* version-nr: Bump to 1.10.18.1
Reply to: