SECURITY:

libsasl, contains functions which may load dynamic libraries.
These libraries may be loaded from the path specified by the
environmental variable SASL_PATH, which in some situations may be
fully controlled by a local attacker.
Thus, if a set-user-ID application utilizes libsasl, it may be possible
for a local attacker to gain superuser privileges.

ok jakob@
This commit is contained in:
robert 2004-10-11 13:19:46 +00:00
parent 69ad59ca7c
commit d9e2a34829
2 changed files with 16 additions and 1 deletions

View File

@ -1,8 +1,9 @@
# $OpenBSD: Makefile,v 1.18 2004/09/26 10:01:01 sturm Exp $
# $OpenBSD: Makefile,v 1.19 2004/10/11 13:19:46 robert Exp $
COMMENT= "RFC 2222 SASL (Simple Authentication and Security Layer)"
DISTNAME= cyrus-sasl-2.1.19
PKGNAME= ${DISTNAME}p1
CATEGORIES= security
MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \

View File

@ -0,0 +1,14 @@
$OpenBSD: patch-lib_common_c,v 1.1 2004/10/11 13:19:46 robert Exp $
--- lib/common.c.orig Mon Oct 11 14:05:00 2004
+++ lib/common.c Mon Oct 11 14:06:48 2004
@@ -1838,7 +1838,10 @@
if (! path)
return SASL_BADPARAM;
+ /* Honor external variable only in a safe environment */
+ if (getuid() == getuid() && getgid() == getgid())
*path = getenv(SASL_PATH_ENV_VAR);
+
if (! *path)
*path = PLUGINDIR;