kumquat-buildroot/package/lighttpd/lighttpd-04-fix_setuid.patch
Axel Lin 509b00d344 lighttpd: apply security patches for lighttpd-1.4.33
Apply security patches for lighttpd-1.4.33.
Also rename these patches to follow buildroot's naming scheme.

lighttpd-03-fix_fam_use_after_free.patch:
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_fam_use_after_free.patch

lighttpd-04-fix_setuid.patch:
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_setuid.patch

lighttpd-05-fix_ssl_sni.patch:
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_ssl_sni.patch

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2013-12-02 11:24:34 +01:00

44 lines
1.4 KiB
Diff

commit 99cddff73ab4023186bcfca54cbb73051140e15d
Author: Stefan Bühler <stbuehler@web.de>
Date: Wed Nov 13 11:43:33 2013 +0000
[core] check success of setuid,setgid,setgroups (CVE-2013-4559)
From: Stefan Bühler <stbuehler@web.de>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2923 152afb58-edef-0310-8abb-c4023f1b3aa9
diff --git a/src/server.c b/src/server.c
index 2d825bb..e2b42eb 100644
--- a/src/server.c
+++ b/src/server.c
@@ -820,8 +820,14 @@ int main (int argc, char **argv) {
* to /etc/group
* */
if (NULL != grp) {
- setgid(grp->gr_gid);
- setgroups(0, NULL);
+ if (-1 == setgid(grp->gr_gid)) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno));
+ return -1;
+ }
+ if (-1 == setgroups(0, NULL)) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno));
+ return -1;
+ }
if (srv->srvconf.username->used) {
initgroups(srv->srvconf.username->ptr, grp->gr_gid);
}
@@ -844,7 +850,10 @@ int main (int argc, char **argv) {
#ifdef HAVE_PWD_H
/* drop root privs */
if (NULL != pwd) {
- setuid(pwd->pw_uid);
+ if (-1 == setuid(pwd->pw_uid)) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno));
+ return -1;
+ }
}
#endif
#if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)