#! /bin/sh /usr/share/dpatch/dpatch-run ## 16-tmp-symlink-attack.dpatch by Michael Meskes <meskes@debian.org> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Fixing a potential symlink attack ## DP: rediff the following upstream commits against virtualbox-ose 1.6.6-dfsg-1: ## DP: - r13788 ## DP: - r13807 ## DP: - r13809 ## DP: - r13810 @DPATCH@ diff -urNad virtualbox-ose-1.6.6-dfsg.orig/src/libs/xpcom18a4/ipc/ipcd/daemon/src/ipcdUnix.cpp virtualbox-ose-1.6.6-dfsg/src/libs/xpcom18a4/ipc/ipcd/daemon/src/ipcdUnix.cpp --- virtualbox-ose-1.6.6-dfsg.orig/src/libs/xpcom18a4/ipc/ipcd/daemon/src/ipcdUnix.cpp 2008-11-05 14:43:38.000000000 +0100 +++ virtualbox-ose-1.6.6-dfsg/src/libs/xpcom18a4/ipc/ipcd/daemon/src/ipcdUnix.cpp 2008-11-05 14:44:08.000000000 +0100 @@ -93,7 +93,7 @@ EOk = 0, ELockFileOpen = -1, ELockFileLock = -2, - + ELockFileOwner = -3, }; static int ipcLockFD = 0; @@ -112,16 +112,70 @@ lockFile[dirLen] = '/'; memcpy(lockFile + dirLen + 1, lockName, sizeof(lockName)); +#ifdef VBOX + // + // Security checks for the directory + // + struct stat st; + if (stat(baseDir, &st) == -1) + { + printf("Cannot stat '%s'.\n", baseDir); + return ELockFileOwner; + } + + if (st.st_uid != getuid() && st.st_uid != geteuid()) + { + printf("Wrong owner (%d) of '%s'.\n", st.st_uid, baseDir); + return ELockFileOwner; + } + + if (st.st_mode != (S_IRUSR | S_IWUSR | S_IXUSR | S_IFDIR)) + { + printf("Wrong mode (%o) of '%s'.\n", st.st_mode, baseDir); + return ELockFileOwner; + } +#endif + // // open lock file. it remains open until we shutdown. // ipcLockFD = open(lockFile, O_WRONLY|O_CREAT, S_IWUSR|S_IRUSR); +#ifndef VBOX free(lockFile); +#endif if (ipcLockFD == -1) return ELockFileOpen; +#ifdef VBOX + // + // Security checks for the lock file + // + if (fstat(ipcLockFD, &st) == -1) + { + printf("Cannot stat '%s'.\n", lockFile); + free(lockFile); + return ELockFileOwner; + } + + if (st.st_uid != getuid() && st.st_uid != geteuid()) + { + printf("Wrong owner (%d) of '%s'.\n", st.st_uid, lockFile); + free(lockFile); + return ELockFileOwner; + } + + if (st.st_mode != (S_IRUSR | S_IWUSR | S_IFREG)) + { + printf("Wrong mode (%o) of '%s'.\n", st.st_mode, lockFile); + free(lockFile); + return ELockFileOwner; + } + + free(lockFile); +#endif + // // we use fcntl for locking. assumption: filesystem should be local. // this API is nice because the lock will be automatically released @@ -433,8 +487,9 @@ // don't notify the parent to cause it to fail in PR_Read() after // we terminate #ifdef VBOX - printf("Cannot create a lock file for '%s'.\n" - "Check permissions.\n", addr.local.path); + if (status != ELockFileOwner) + printf("Cannot create a lock file for '%s'.\n" + "Check permissions.\n", addr.local.path); #endif return 0; }