Bug#365632: Patch for netcat -c and -e

Tue, 26 Sep 2006 08:46:50 -0700 

tags 365626 + patch
tags 365632 + patch
thanks

The attached patch fixes both problems. If you would prefer it
splitted, just say so.

diff -ur netcat-1.10-32/netcat.c netcat/netcat.c
--- netcat-1.10-32/netcat.c	2006-05-01 18:46:54.000000000 +0200
+++ netcat/netcat.c	2006-05-01 19:36:11.000000000 +0200
@@ -598,26 +598,6 @@
 char * pr00gie = NULL;			/* global ptr to -e arg */
 int doexec_use_sh = 0;			/* `-c' or `-e' option? */
 
-/* doexec_new :
-   fiddle all the file descriptors around, and hand off to another prog.  Sort
-   of like a one-off "poor man's inetd".  This is the only section of code
-   that would be security-critical, which is why it's ifdefed out by default.
-   Use at your own hairy risk; if you leave shells lying around behind open
-   listening ports you deserve to lose!! */
-doexec_new (fd)
-  int fd;
-{
-  dup2 (fd, 0);				/* the precise order of fiddlage */
-  close (fd);				/* is apparently crucial; this is */
-  dup2 (0, 1);				/* swiped directly out of "inetd". */
-  dup2 (0, 2);
-
-  /* A POSIX-conformant system must have `/bin/sh'. */
-Debug (("gonna exec \"%s\" using /bin/sh...", pr00gie))
-  execl ("/bin/sh", "sh", "-c", pr00gie, NULL);
-  bail ("exec %s failed", pr00gie);	/* this gets sent out.  Hmm... */
-} /* doexec_new */
-
 /* doexec :
    fiddle all the file descriptors around, and hand off to another prog.  Sort
    of like a one-off "poor man's inetd".  This is the only section of code
@@ -627,20 +607,29 @@
 doexec (fd)
   int fd;
 {
-  register char * p;
-
   dup2 (fd, 0);				/* the precise order of fiddlage */
   close (fd);				/* is apparently crucial; this is */
   dup2 (0, 1);				/* swiped directly out of "inetd". */
-  dup2 (0, 2);
-  p = strrchr (pr00gie, '/');		/* shorter argv[0] */
-  if (p)
-    p++;
+
+  if (doexec_use_sh)
+  {
+    /* A POSIX-conformant system must have `/bin/sh'. */
+Debug (("gonna exec \"%s\" using /bin/sh...", pr00gie))
+    execl ("/bin/sh", "sh", "-c", pr00gie, NULL);
+  }
   else
-    p = pr00gie;
+  {
+    register char * p;
+
+    p = strrchr (pr00gie, '/');		/* shorter argv[0] */
+    if (p)
+      p++;
+    else
+      p = pr00gie;
 Debug (("gonna exec %s as %s...", pr00gie, p))
-  execl (pr00gie, p, NULL);
-  bail ("exec %s failed", pr00gie);	/* this gets sent out.  Hmm... */
+    execl (pr00gie, p, NULL);
+  }
+  bail ("exec %s failed", pr00gie);
 } /* doexec */
 #endif /* GAPING_SECURITY_HOLE */
 
@@ -1684,10 +1673,7 @@
     if (netfd > 0) {
 #ifdef GAPING_SECURITY_HOLE
       if (pr00gie)			/* -c or -e given? */
-	if (doexec_use_sh)		/* -c */
-	  doexec_new (netfd);
-        else				/* -e */
-	  doexec (netfd);
+        doexec (netfd);
 #endif /* GAPING_SECURITY_HOLE */
       x = readwrite (netfd);		/* it even works with UDP! */
       if (o_verbose > 1)		/* normally we don't care */

Reply via email to