diff options
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | NEWS | 12 | ||||
-rw-r--r-- | nss/Makefile | 2 | ||||
-rw-r--r-- | nss/nss_files/files-XXX.c | 2 | ||||
-rw-r--r-- | nss/tst-nss-getpwent.c | 118 |
5 files changed, 136 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog index 35106b5235..c32cf7ae79 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2015-04-29 Florian Weimer <fweimer@redhat.com> + + [BZ #18007] + * nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen. + (CVE-2014-8121) + * nss/tst-nss-getpwent.c: New file. + * nss/Makefile (tests): Add new test. + 2015-04-28 Joseph Myers <joseph@codesourcery.com> [BZ #18346] diff --git a/NEWS b/NEWS index fc3911dc29..58cf55930b 100644 --- a/NEWS +++ b/NEWS @@ -13,10 +13,10 @@ Version 2.22 16512, 16560, 16783, 16850, 17090, 17195, 17269, 17523, 17542, 17569, 17588, 17596, 17620, 17621, 17628, 17631, 17711, 17715, 17776, 17779, 17792, 17836, 17912, 17916, 17930, 17932, 17944, 17949, 17964, 17965, - 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020, - 18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047, - 18068, 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185, - 18197, 18206, 18210, 18211, 18247, 18287, 18333, 18346. + 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18007, 18019, + 18020, 18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, + 18047, 18068, 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, + 18185, 18197, 18206, 18210, 18211, 18247, 18287, 18333, 18346. * Cache information can be queried via sysconf() function on s390 e.g. with _SC_LEVEL1_ICACHE_SIZE as argument. @@ -43,6 +43,10 @@ Version 2.22 Hat). These updates cause user visible changes, such as the fix for bug 17998. +* CVE-2014-8121 The NSS files backend would reset the file pointer used by + the get*ent functions if any of the query functions for the same database + are used during the iteration, causing a denial-of-service condition in + some applications. Version 2.21 diff --git a/nss/Makefile b/nss/Makefile index d75dad2ee6..65ab7b5419 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -47,7 +47,7 @@ install-bin := getent makedb makedb-modules = xmalloc hash-string extra-objs += $(makedb-modules:=.o) -tests = test-netdb tst-nss-test1 test-digits-dots +tests = test-netdb tst-nss-test1 test-digits-dots tst-nss-getpwent xtests = bug-erange # Specify rules for the nss_* modules. We have some services. diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c index a7a45e5b0e..a7ce5ea97e 100644 --- a/nss/nss_files/files-XXX.c +++ b/nss/nss_files/files-XXX.c @@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen) __libc_lock_lock (lock); - status = internal_setent (stayopen); + status = internal_setent (1); if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0) { diff --git a/nss/tst-nss-getpwent.c b/nss/tst-nss-getpwent.c new file mode 100644 index 0000000000..f2e8abce60 --- /dev/null +++ b/nss/tst-nss-getpwent.c @@ -0,0 +1,118 @@ +/* Copyright (C) 2015 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <pwd.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +int +do_test (void) +{ + /* Count the number of entries in the password database, and fetch + data from the first and last entries. */ + size_t count = 0; + struct passwd * pw; + char *first_name = NULL; + uid_t first_uid = 0; + char *last_name = NULL; + uid_t last_uid = 0; + setpwent (); + while ((pw = getpwent ()) != NULL) + { + if (first_name == NULL) + { + first_name = strdup (pw->pw_name); + if (first_name == NULL) + { + printf ("strdup: %m\n"); + return 1; + } + first_uid = pw->pw_uid; + } + + free (last_name); + last_name = strdup (pw->pw_name); + if (last_name == NULL) + { + printf ("strdup: %m\n"); + return 1; + } + last_uid = pw->pw_uid; + ++count; + } + endpwent (); + + if (count == 0) + { + printf ("No entries in the password database.\n"); + return 0; + } + + /* Try again, this time interleaving with name-based and UID-based + lookup operations. The counts do not match if the interleaved + lookups affected the enumeration. */ + size_t new_count = 0; + setpwent (); + while ((pw = getpwent ()) != NULL) + { + if (new_count == count) + { + printf ("Additional entry in the password database.\n"); + return 1; + } + ++new_count; + struct passwd *pw2 = getpwnam (first_name); + if (pw2 == NULL) + { + printf ("getpwnam (%s) failed: %m\n", first_name); + return 1; + } + pw2 = getpwnam (last_name); + if (pw2 == NULL) + { + printf ("getpwnam (%s) failed: %m\n", last_name); + return 1; + } + pw2 = getpwuid (first_uid); + if (pw2 == NULL) + { + printf ("getpwuid (%llu) failed: %m\n", + (unsigned long long) first_uid); + return 1; + } + pw2 = getpwuid (last_uid); + if (pw2 == NULL) + { + printf ("getpwuid (%llu) failed: %m\n", + (unsigned long long) last_uid); + return 1; + } + } + endpwent (); + if (new_count < count) + { + printf ("Missing entry in the password database.\n"); + return 1; + } + + return 0; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |