Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Hi all
I have prepared a preliminary patch for wheezy. I have not yet been able to test it fully (it is building right now). It looks like attached. You may need to modify it for later versions.
Please comment. The principles should be ok even if I may have made some stupid copy+paste mistake. It worked fine in a little test program I made.
Hope this helps
// Ola
Description: World readable dbshell log file
This correction make sure the ~/.dbshell log file is not world readable.
.
mongodb (1:2.0.6-1deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Long Term Security Team.
* Make sure dbshell log file is not readable by others.
Author: Ola Lundqvist <opal@debian.org>
Origin: other
Bug: https://jira.mongodb.org/browse/SERVER-25335
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908
Forwarded: no
Reviewed-By: Ola Lundqvist <opal@debian.org>
Last-Update: 2016-08-01
Index: mongodb-2.0.6/third_party/linenoise/linenoise.cpp
===================================================================
--- mongodb-2.0.6.orig/third_party/linenoise/linenoise.cpp 2012-06-04 13:42:54.000000000 +0000
+++ mongodb-2.0.6/third_party/linenoise/linenoise.cpp 2016-08-01 22:05:34.234826380 +0000
@@ -104,11 +104,13 @@
#include <termios.h>
#include <unistd.h>
+#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
+#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <unistd.h>
@@ -799,6 +801,9 @@
/* Save the history in the specified file. On success 0 is returned
* otherwise -1 is returned. */
int linenoiseHistorySave(const char *filename) {
+ mode_t prev_mask = umask(0022);
+ // Make sure this file is not readable by others
+ umask(prev_mask | S_IROTH | S_IWOTH | S_IXOTH);
FILE *fp = fopen(filename,"w");
int j;
@@ -817,6 +822,16 @@
* If the file exists and the operation succeeded 0 is returned, otherwise
* on error -1 is returned. */
int linenoiseHistoryLoad(const char *filename) {
+ struct stat fileStat;
+ if (stat(filename,&fileStat) < 0) return -1;
+ if (fileStat.st_mode & S_IROTH ||
+ fileStat.st_mode & S_IWOTH ||
+ fileStat.st_mode & S_IXOTH) {
+ // If the file is world readable, writeable or executable
+ // make sure it is not but keep all other permissions.
+ chmod(filename, fileStat.st_mode & 0777770);
+ }
+
FILE *fp = fopen(filename,"r");
char buf[LINENOISE_MAX_LINE];
Reply to: