tags 245029 woody thanks At Fri, 23 Apr 2004 01:11:15 +0200, BUCHMULLER Norbert wrote: > > Isn't it CAN-2003-0689? (I have not seen that fixed in libc6's > > It _is_.
I didn't know this bug before... Debian security team, could you look at it? > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=101691 states that > 2.2.5 is affected, and, that the bug is in libc/grp/initgroups.c, and that > the revision that fixes the bug is 1.29. > > From the CVS log > (http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/grp/initgroups.c?cvsroot=glibc) > I see that the fix was done in 1.29 indeed, and having a look at the diff > between 1.29 and 1.28 revealed that Debian's 2.2.5-11.5 has revision 1.28 > of that file, not 1.29. Debian woody glibc has revision 1.26. > Now it is clear that this bug is the same as in CAN-2003-0689. Debian is > still vulnerable. :-( > > Please fix it. Thanks. The below patch is diff between 1.26 and 1.29, retrieved from above CVS web. The line "__attribute_hidden" and "__libc_fatal" part should be deleted for fixing woody's glibc, though. =================================================================== RCS file: /cvs/glibc/libc/grp/initgroups.c,v retrieving revision 1.26 retrieving revision 1.29 diff -u -r1.26 -r1.29 --- libc/grp/initgroups.c 2001/07/06 04:54:46 1.26 +++ libc/grp/initgroups.c 2003/04/23 21:26:34 1.29 @@ -1,4 +1,4 @@ -/* Copyright (C) 1989,91,93,1996-1999,2000,01 Free Software Foundation, Inc. +/* Copyright (C) 1989,91,93,1996-2002, 2003 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -23,6 +23,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <sys/param.h> #include <sys/types.h> #include <nsswitch.h> @@ -45,7 +46,7 @@ void **fctp); extern void *__nss_lookup_function (service_user *ni, const char *fct_name); -extern service_user *__nss_group_database; +extern service_user *__nss_group_database attribute_hidden; static enum nss_status compat_call (service_user *nip, const char *user, gid_t group, long int *start, @@ -176,7 +177,7 @@ /* This is really only for debugging. */ if (NSS_STATUS_TRYAGAIN > status || status > NSS_STATUS_RETURN) - __libc_fatal ("illegal status in " __FUNCTION__); + __libc_fatal ("illegal status in internal_getgrouplist"); if (status != NSS_STATUS_SUCCESS && nss_next_action (nip, status) == NSS_ACTION_RETURN) @@ -207,6 +208,9 @@ return -1; result = internal_getgrouplist (user, group, &size, &newgroups, -1); + + memcpy (groups, newgroups, MIN (*ngroups, result) * sizeof (gid_t)); + if (result > *ngroups) { *ngroups = result; @@ -214,8 +218,6 @@ } else *ngroups = result; - - memcpy (groups, newgroups, *ngroups * sizeof (gid_t)); free (newgroups); return result; Regards, -- gotom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
