Hello community,
here is the log from the commit of package cryptconfig
checked in at Sun Feb 25 12:11:52 CET 2007.
--------
--- cryptconfig/cryptconfig.changes 2007-02-15 00:07:42.000000000 +0100
+++ /mounts/work_src_done/STABLE/cryptconfig/cryptconfig.changes 2007-02-21 20:31:50.263602000 +0100
@@ -1,0 +2,14 @@
+Wed Feb 21 20:31:23 CET 2007 - crivera@suse.de
+
+- Remove 'su' from the list of pam config files to edit.
+ This fixes Bug 245702.
+- Add a check against a key file size threshold to avoid interger overflow
+ attacks. This helps fix 243881.
+- Replace chown and g_stat with fchown and fstat to avoid potential
+ symlink issues. This helps fix 243881.
+- Use "--" to prevent user's from adding additional command-line options
+ to apps that we exec. This helps fix 243881.
+- Use flock() to avoid races if multiple instances cryptconfig are running.
+- Set our umask to 077. This helps fix 243881.
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cryptconfig.spec ++++++
--- /var/tmp/diff_new_pack.eH2637/_old 2007-02-25 12:11:42.000000000 +0100
+++ /var/tmp/diff_new_pack.eH2637/_new 2007-02-25 12:11:42.000000000 +0100
@@ -12,7 +12,7 @@
Name: cryptconfig
Version: 0.1.0
-Release: 14
+Release: 15
Group: System/Base
License: GNU Library General Public License v. 2.0 and 2.1 (LGPL)
Summary: A Utility to Configure Encrypted Home Directories and LUKS Partitions
@@ -61,7 +61,18 @@
%{_sysconfdir}/cryptconfig.conf
%doc %{_mandir}/man8/cryptconfig.8.gz
-%changelog -n cryptconfig
+%changelog
+* Wed Feb 21 2007 - crivera@suse.de
+- Remove 'su' from the list of pam config files to edit.
+ This fixes Bug 245702.
+- Add a check against a key file size threshold to avoid interger overflow
+ attacks. This helps fix 243881.
+- Replace chown and g_stat with fchown and fstat to avoid potential
+ symlink issues. This helps fix 243881.
+- Use "--" to prevent user's from adding additional command-line options
+ to apps that we exec. This helps fix 243881.
+- Use flock() to avoid races if multiple instances cryptconfig are running.
+- Set our umask to 077. This helps fix 243881.
* Thu Feb 15 2007 - crivera@suse.de
- Use 64-bit version of lseek() when creating and enlarging
images. This fixes 245632.
++++++ cryptconfig-0.1.0.tar.gz ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/cryptconfig-0.1.0/ChangeLog new/cryptconfig-0.1.0/ChangeLog
--- old/cryptconfig-0.1.0/ChangeLog 2007-02-14 23:56:50.000000000 +0100
+++ new/cryptconfig-0.1.0/ChangeLog 2007-02-21 20:21:01.000000000 +0100
@@ -1,3 +1,28 @@
+2007-02-21 Chris Rivera
+
+ * src/cryptconfig-lib.c: Add a check against a key file size threshold
+ to avoid interger overflow attacks. This helps fix 243881.
+
+2007-02-20 Chris Rivera
+
+ * src/cryptconfig-lib.c: Remove 'su' from the list of pam config files
+ to edit. This fixes Bug 245702.
+
+ * src/pam_cryptpass.c:
+ * src/cryptconfig-lib.c:
+
+ Replace chown and g_stat with fchown and fstat to
+ avoid potential symlink issues.
+
+ Use "--" to prevent user's from adding additional command-line options
+ to apps that we exec.
+
+ Use flock() to avoid races if multiple instances cryptconfig are running.
+
+ * src/cryptconfig.c: s/umask(022)/umask(077)/
+
+ These changes fix the issues in Bug 243881.
+
2007-02-14 Chris Rivera
* src/cryptconfig-lib.c: Use 64-bit versions of lseek ()
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/cryptconfig-0.1.0/cryptconfig.conf new/cryptconfig-0.1.0/cryptconfig.conf
--- old/cryptconfig-0.1.0/cryptconfig.conf 2007-01-23 19:54:21.000000000 +0100
+++ new/cryptconfig-0.1.0/cryptconfig.conf 2007-02-20 16:13:59.000000000 +0100
@@ -1,2 +1,2 @@
[PAM]
-Services=gdm;login;kdm;xdm;su;sudo
+Services=gdm;login;kdm;xdm;sudo
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/cryptconfig-0.1.0/src/cryptconfig.c new/cryptconfig-0.1.0/src/cryptconfig.c
--- old/cryptconfig-0.1.0/src/cryptconfig.c 2007-02-13 22:14:38.000000000 +0100
+++ new/cryptconfig-0.1.0/src/cryptconfig.c 2007-02-21 18:45:33.000000000 +0100
@@ -342,9 +342,8 @@
/* copy the user's existing data */
if (!no_copy) {
- g_print (_("Copying existing data from %s. This may take some time... "),
- pent->pw_dir);
- if (!copy_data (pent->pw_dir, temp_dir)) {
+ g_print (_("Copying existing data from %s. This may take some time... "), pent->pw_dir);
+ if (!copy_user_data (pent->pw_dir, temp_dir)) {
g_printerr (_("\nFailed to copy user data\n"));
goto cleanup;
}
@@ -1298,7 +1297,7 @@
return 1;
}
- umask (022);
+ umask (077);
ret = cmd->execute (argv[1], argc, argv);
g_hash_table_destroy (commands);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/cryptconfig-0.1.0/src/cryptconfig.h new/cryptconfig-0.1.0/src/cryptconfig.h
--- old/cryptconfig-0.1.0/src/cryptconfig.h 2007-02-12 22:02:36.000000000 +0100
+++ new/cryptconfig-0.1.0/src/cryptconfig.h 2007-02-21 20:09:47.000000000 +0100
@@ -12,6 +12,7 @@
*/
#define KEY_DATA_SIZE 256
#define BUFF_SIZE 256
+#define KEY_FILE_SIZE_THRESHOLD 1048576
#define PAM_SERVICES_DIR "/etc/pam.d"
#define PAM_MOUNT_CONF "/etc/security/pam_mount.conf"
#define PAM_PASSWD_CONF "/etc/pam.d/passwd"
@@ -55,7 +56,7 @@
gchar *path_to_map_name (const char *path);
gboolean unlock_image (const char *image_file, const char *key_file, char **map_device, char **loop_dev);
gboolean check_disk_space (char *image, char *current_home, guint64 *home_size);
-gboolean copy_data (const char *src, const char *dest);
+gboolean copy_user_data (const char *src, const char *dest);
gboolean get_passphrase (const char *prompt, int verify, gchar **passphrase);
gboolean enlarge_image (const char *image, int size_to_add_in_mb);
gboolean get_random_key_data (gchar **key_data, size_t key_size);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/cryptconfig-0.1.0/src/cryptconfig-lib.c new/cryptconfig-0.1.0/src/cryptconfig-lib.c
--- old/cryptconfig-0.1.0/src/cryptconfig-lib.c 2007-02-14 23:53:07.000000000 +0100
+++ new/cryptconfig-0.1.0/src/cryptconfig-lib.c 2007-02-21 20:22:32.000000000 +0100
@@ -31,6 +31,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -42,7 +43,7 @@
static long fs_min_sizes[] = { 10, 10, 40 };
static gchar *fs_list[] = { "ext3", "ext2", "reiserfs" };
-static gchar *default_pam_services[] = { "gdm", "login", "kdm", "xdm", "su", "sudo", NULL };
+static gchar *default_pam_services[] = { "gdm", "login", "kdm", "xdm", "sudo", NULL };
/*
* Manually copy the contents of old to new
@@ -59,7 +60,7 @@
return -1;
}
- new_fd = open (new, O_WRONLY | O_CREAT | O_TRUNC);
+ new_fd = open (new, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW);
if (new_fd == -1) {
close (old_fd);
g_printerr ("open: %s\n", strerror (errno));
@@ -90,7 +91,7 @@
*/
static gboolean rename_file (const char *old, const char *new)
{
- int retval;
+ int retval, new_fd;
struct stat info;
if (!g_file_test (old, G_FILE_TEST_EXISTS) ||
@@ -117,16 +118,25 @@
if (retval)
return FALSE;
- if (chmod (new, info.st_mode)) {
- g_printerr ("chmod: %s\n", strerror (errno));
+ new_fd = open (new, O_RDONLY | O_NOFOLLOW);
+ if (new_fd == -1) {
+ g_printerr ("open: %s\n", strerror (errno));
+ return FALSE;
+ }
+
+ if (fchmod (new_fd, info.st_mode)) {
+ g_printerr ("fchmod: %s\n", strerror (errno));
+ close (new_fd);
return FALSE;
}
- if (chown (new, info.st_uid, info.st_gid)) {
- g_printerr ("chown: %s\n", strerror (errno));
+ if (fchown (new_fd, info.st_uid, info.st_gid)) {
+ g_printerr ("fchown: %s\n", strerror (errno));
+ close (new_fd);
return FALSE;
}
+ close (new_fd);
return TRUE;
}
@@ -140,22 +150,36 @@
{
FILE *old, *new;
gchar *tmp_name;
- int fd;
+ int new_fd, old_fd;
char buff[BUFF_SIZE];
+
+ old_fd = open (file, O_RDONLY | O_NOFOLLOW);
+ if (old_fd == -1) {
+ g_printerr (_("Failed to open %s: %s\n"), file, strerror (errno));
+ return FALSE;
+ }
+
+ if (flock (old_fd, LOCK_EX)) {
+ g_printerr (_("flock: %s\n"), strerror (errno));
+ close (old_fd);
+ return FALSE;
+ }
- old = fopen (file, "r");
+ old = fdopen (old_fd, "r");
if (!old) {
g_printerr (_("Failed to open %s: %s\n"), file, strerror (errno));
+ close (old_fd);
return FALSE;
}
- fd = g_file_open_tmp (template, &tmp_name, NULL);
- if (fd == -1) {
+ new_fd = g_file_open_tmp (template, &tmp_name, NULL);
+ if (new_fd == -1) {
g_printerr (_("Failed to create temp file\n"));
+ fclose (old);
return FALSE;
}
- new = fdopen (fd, "a+");
+ new = fdopen (new_fd, "a+");
if (!new) {
g_free (tmp_name);
fclose (old);
@@ -168,12 +192,13 @@
fprintf (new, buff);
}
- fclose (old);
fclose (new);
-
+ fflush (old);
+
if (!rename_file (tmp_name, file))
fprintf (stderr, "Failed to update %s\n", file);
-
+
+ fclose (old);
g_free (tmp_name);
return TRUE;
}
@@ -246,7 +271,7 @@
*/
static gboolean get_directory_size (char *directory, guint64 *size)
{
- gchar *argv[] = { DU_BIN_PATH, "-shk", directory, NULL };
+ gchar *argv[] = { DU_BIN_PATH, "-shk", "--", directory, NULL };
gchar *std_out;
gboolean ret;
gint status;
@@ -272,11 +297,25 @@
static gboolean enable_pam_cryptpass (void)
{
FILE *fp;
+ int fd;
char buff[BUFF_SIZE];
- fp = fopen (PAM_PASSWD_CONF, "a+");
+ fd = open (PAM_PASSWD_CONF, O_RDWR | O_APPEND);
+ if (fd == -1) {
+ g_printerr (_("open: %s\n"), strerror (errno));
+ return FALSE;
+ }
+
+ if (flock (fd, LOCK_EX)) {
+ g_printerr (_("flock: %s\n"), strerror (errno));
+ close (fd);
+ return FALSE;
+ }
+
+ fp = fdopen (fd, "a+");
if (!fp) {
g_printerr (_("Failed to open pam"));
+ close (fd);
return FALSE;
}
@@ -366,20 +405,28 @@
for (i = 0; i < size; i++) {
FILE *config;
- int n, found = 0;
+ int n, fd, found = 0;
char buff[BUFF_SIZE];
if (!list[i])
break;
- if (!g_file_test (list[i], G_FILE_TEST_EXISTS)) {
- fprintf (stderr, _("'%s' doesn't exist, skipping\n"), list[i]);
+ fd = open (list[i], O_RDWR | O_APPEND);
+ if (fd == -1) {
+ g_printerr (_("Unable to open '%s', skipping\n"), list[i]);
+ continue;
+ }
+
+ if (flock (fd, LOCK_EX)) {
+ g_printerr ("flock: %s\n", strerror (errno));
+ close (fd);
continue;
}
- config = fopen (list[i], "a+");
+ config = fdopen (fd, "a+");
if (!config) {
- fprintf (stderr, _("Unable to open '%s', skipping\n"), list[i]);
+ g_printerr ("fdopen: %s\n", strerror (errno));
+ close (fd);
continue;
}
@@ -618,18 +665,28 @@
size_t hk_sz, total_size;
int fd, final_size, kd_size;
gboolean ret = FALSE;
+ struct stat info;
EVP_CIPHER_CTX ctx;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char hashed_key[EVP_MAX_KEY_LENGTH];
unsigned char salt[PKCS5_SALT_LEN];
unsigned char magic[8];
- fd = open (key_file, O_RDONLY);
+ fd = open (key_file, O_RDONLY | O_NOFOLLOW);
if (fd == -1) {
g_printerr ("open: %s\n", strerror (errno));
return FALSE;
}
+ /* make sure the key_file is below our size threshold */
+ if (fstat (fd, &info)) {
+ g_printerr ("open: %s\n", strerror (errno));
+ return FALSE;
+ } else if (info.st_size > KEY_FILE_SIZE_THRESHOLD) {
+ g_printerr (_("key file is too large\n"));
+ return FALSE;
+ }
+
EVP_CIPHER_CTX_init (&ctx);
/* check the magic in the key and read the salt */
@@ -900,7 +957,7 @@
gboolean create_image_zero (const char *image, int size_in_mb)
{
long long bytes = (long long) size_in_mb * 1048576;
- int fd = open (image, O_WRONLY | O_CREAT | O_TRUNC | O_LARGEFILE, 0600);
+ int fd = open (image, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW | O_LARGEFILE, 0600);
if (fd == -1) {
g_printerr ("open: %s\n", strerror (errno));
return FALSE;
@@ -931,7 +988,7 @@
gboolean ret;
char buff[BUFSIZ];
- fd = open (image, O_WRONLY | O_CREAT | O_TRUNC | O_LARGEFILE, 0600);
+ fd = open (image, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW | O_LARGEFILE, 0600);
if (fd == -1) {
g_printerr ("open: %s\n", strerror (errno));
return FALSE;
@@ -1005,7 +1062,7 @@
*/
gboolean create_filesystem (char *device, char *fs_type)
{
- char *argv[] = { MKFS_BIN_PATH, "-t", fs_type, "-q", device, NULL };
+ char *argv[] = { MKFS_BIN_PATH, "-t", fs_type, "-q", "--", device, NULL };
GError *err;
gint status;
gboolean ret;
@@ -1075,11 +1132,11 @@
struct passwd *pent;
FILE *fs;
const char *up;
- int n;
+ int n, fd;
char haystack[BUFF_SIZE];
char needle[BUFF_SIZE];
char esc_user[BUFF_SIZE];
-
+
if (!g_file_test (image_file, G_FILE_TEST_EXISTS) ||
!g_file_test (key_file, G_FILE_TEST_EXISTS)) {
g_printerr ("access: %s\n", strerror (errno));
@@ -1118,9 +1175,22 @@
if (n == -1)
return FALSE;
- fs = fopen (PAM_MOUNT_CONF, "a+");
+ fd = open (PAM_MOUNT_CONF, O_RDWR | O_APPEND);
+ if (!fd) {
+ g_printerr ("open: %s\n", strerror (errno));
+ return FALSE;
+ }
+
+ if (flock (fd, LOCK_EX)) {
+ g_printerr ("flock: %s\n", strerror (errno));
+ close (fd);
+ return FALSE;
+ }
+
+ fs = fdopen (fd, "a+");
if (!fs) {
- g_printerr ("fopen: %s\n", strerror (errno));
+ g_printerr ("fdopen: %s\n", strerror (errno));
+ close (fd);
return FALSE;
}
@@ -1299,6 +1369,12 @@
return FALSE;
}
+ if (flock (fd, LOCK_EX)) {
+ g_printerr ("flock: %s\n", strerror (errno));
+ close (fd);
+ return FALSE;
+ }
+
if (lseek64 (fd, total, SEEK_END) == -1) {
close (fd);
return FALSE;
@@ -1350,9 +1426,10 @@
}
/*
- * Copy data in src to dest
+ * Copy data in src to dest. This function should not be called with
+ * user input.
*/
-gboolean copy_data (const char *src, const char *dest)
+gboolean copy_user_data (const char *home_dir, const char *dest)
{
gchar *cmd, *argv[] = { "/bin/sh", "-c", NULL, NULL };
GError *err = NULL;
@@ -1360,7 +1437,7 @@
int status;
gboolean ret;
- cmd = g_strdup_printf ("/bin/cp -axp %s/* %s", src, dest);
+ cmd = g_strdup_printf ("/bin/cp -axp %s/* %s", home_dir, dest);
argv[2] = cmd;
ret = g_spawn_async_with_pipes (NULL, argv, NULL,
G_SPAWN_DO_NOT_REAP_CHILD |
@@ -1402,7 +1479,7 @@
gboolean mount_dev (char *fs_type, char *device, char *mount_point)
{
int status;
- char *argv[] = { "/bin/mount", "-n", "-t", fs_type, "-o", "user_xattr",
+ char *argv[] = { "/bin/mount", "-n", "-t", fs_type, "-o", "user_xattr", "--",
device, mount_point, NULL};
return g_spawn_sync (NULL, argv, NULL,
G_SPAWN_STDOUT_TO_DEV_NULL | G_SPAWN_STDERR_TO_DEV_NULL,
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/cryptconfig-0.1.0/src/pam_cryptpass.c new/cryptconfig-0.1.0/src/pam_cryptpass.c
--- old/cryptconfig-0.1.0/src/pam_cryptpass.c 2007-01-16 20:27:53.000000000 +0100
+++ new/cryptconfig-0.1.0/src/pam_cryptpass.c 2007-02-20 20:55:48.000000000 +0100
@@ -23,12 +23,17 @@
* used to encrypt the key for their encrypted home directory.
*/
+#define _GNU_SOURCE
+
#include
#include
#include
#include
+#include
+#include
#include
#include
+#include
#define PAM_SM_PASSWORD
#include
@@ -42,6 +47,7 @@
{
FILE *fp;
struct passwd *pent;
+ int key_fd;
struct stat info;
char line[BUFF_SIZE];
char needle[BUFF_SIZE];
@@ -82,9 +88,18 @@
key_file[kf_len - 1] = '\0';
/* make sure the key exists and user is the owner */
- if (!g_stat (key_file, &info) && pent->pw_uid == info.st_uid) {
+ key_fd = open (key_file, O_RDONLY | O_NOFOLLOW);
+ if (key_fd == -1) {
+ fclose (fp);
+ return -1;
+ }
+
+ if (!fstat (key_fd, &info) && pent->pw_uid == info.st_uid) {
fclose (fp);
+ close (key_fd);
return 0;
+ } else {
+ close (key_fd);
}
}
@@ -128,7 +143,7 @@
} else if (flags & PAM_UPDATE_AUTHTOK) {
char *pass_old, *pass_new, *key_data;
struct passwd *pent;
- int key_size;
+ int key_size, key_fd;
/* update the password used to encrypt the key */
ret = pam_get_item (pamh, PAM_OLDAUTHTOK, (void *) &pass_old);
@@ -165,11 +180,19 @@
return PAM_AUTHTOK_ERR;
}
- if (chown (key_file, pent->pw_uid, 0)) {
- syslog (LOG_ERR, "Failed to change the owner of %s\n", key_file);
+ key_fd = open (key_file, O_RDONLY | O_NOFOLLOW);
+ if (key_fd == -1) {
+ syslog (LOG_ERR, "Failed to open %s: %s\n", key_file, strerror (errno));
+ return PAM_AUTHTOK_ERR;
+ }
+
+ if (fchown (key_fd, pent->pw_uid, 0)) {
+ syslog (LOG_ERR, "Failed to change the owner of %s: %s\n", key_file, strerror (errno));
+ close (key_fd);
return PAM_AUTHTOK_ERR;
}
+ close (key_fd);
syslog (LOG_INFO, "Password for %s was successfully changed.\n", key_file);
} else {
/* things are not good */
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org