diff -up mod_auth_shadow-2.2/mod_auth_shadow.c.CVE-2010-1151 mod_auth_shadow-2.2/mod_auth_shadow.c --- mod_auth_shadow-2.2/mod_auth_shadow.c.CVE-2010-1151 2007-04-02 17:38:27.000000000 +0200 +++ mod_auth_shadow-2.2/mod_auth_shadow.c 2010-04-09 14:26:05.949633122 +0200 @@ -144,6 +144,7 @@ static int auth_shadow_authorize(const c int filedes[2]; /* fd's for pipe. Read from 0, write to 1*/ char validate_prog[255]; int ret, status; + int cpid; FILE* fp; if (strlen(INSTBINDIR) > 240) { @@ -192,6 +193,9 @@ static int auth_shadow_authorize(const c /* Parent */ + /* Save child pid - we must only accept answers from it */ + cpid = ret; + /* We write to the pipe, then wait for the child to finish. */ fp = fdopen(filedes[1],"w"); if (!fp) { @@ -209,12 +213,17 @@ static int auth_shadow_authorize(const c return(-1); } - ret = wait(&status); - if (ret==0 || ret==-1) { + ret = waitpid(cpid, &status, 0); + if (ret==-1) { ap_log_error(APLOG_MARK, APLOG_EMERG, errno, r->server, "%s: Error while waiting for child: %d.",module_name, errno); return(-1); } + if (ret==0 || ret!=cpid) { + ap_log_error(APLOG_MARK, APLOG_EMERG, errno, r->server, + "%s: Failure waiting for child (none or wrong child returned): %d.",module_name, ret); + return(-1); + } if (status==0) return 1; /* Correct pw */ @@ -307,7 +316,7 @@ static int user_in_group (char *user, co } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, - "%s: Looking in group file for %d: got user: %s", module_name, + "%s: Looking in group file for %s: got user: %s", module_name, groupname, user); // Get group information from group file using re-entrant