Patch attached. Not sure what should be a headline or not in NEWS (release numbers etc.). Find below a proposal for such entry:
** ftpd, rcp, rlogin, rsh, rshd, uucpd *** Avoid potential privilege escalations due to absence of checking set*id() return values. Reported by Jeffrey Bencteux in < https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html>. -- Jeffrey BENCTEUX Le sam. 22 juil. 2023 à 10:36, Simon Josefsson <si...@josefsson.org> a écrit : > Jeffrey <jeffbenct...@gmail.com> writes: > > > I found more occurences of unchecked values for set*id() functions in > other > > inetutils programs: ftpd, rcp. > > > > It has different security impact if it can be triggered: > > > > * rcp: local privilege escalation to the user running the binary > > * ftpd: undefined behaviour without privilege escalation as all calls are > > to seteuid(0) (gaining root privileges, not dropping it) > > > > I am attaching a consolidated patch to fix these and the previous ones. > > Thanks again -- copyright papers have now arrived, and I looked at the > patch, and it seems good. However the patch does not apply cleanly due > to whitespace and line-wrapping problems, can you re-send the patch as > an attachment instead of inline in your email? Please also add NEWS > entries (look at earlier entries as templates). > > /Simon >
0001-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-check-set-id-retu.patch
Description: Binary data