Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]

Add an API for alerting internal libc routines to the presence of "unsafe" paths post-chroot, and use it in ftpd. [11:07] Fix a buffer overflow in telnetd. [11:08] Make pam_ssh ignore unpassphrased keys unless the "nullok" option is specified. [11:09] Add sanity checking of service names in pam_start. [11:10] Approved by: so (cperciva) Approved by: re (bz) Security: FreeBSD-SA-11:06.bind Security: FreeBSD-SA-11:07.chroot Security: FreeBSD-SA-11:08.telnetd Security: FreeBSD-SA-11:09.pam_ssh Security: FreeBSD-SA-11:10.pam
2011-12-23 15:00:37 +00:00 · 2011-12-23 15:00:37 +00:00 · 3e65b9c6e6
commit 3e65b9c6e6
parent 2cd8464e4e
11 changed files with 92 additions and 3 deletions
--- a/contrib/telnet/libtelnet/encrypt.c
+++ b/contrib/telnet/libtelnet/encrypt.c
@ -721,6 +721,9 @@ encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
 	int dir = kp->dir;
 	int ret = 0;

+	if (len > MAXKEYLEN)
+		len = MAXKEYLEN;
+
 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
 		if (len == 0)
 			return;
--- a/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.c
@ -736,6 +736,9 @@ encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
    int dir = kp->dir;
    int ret = 0;

+    if (len > MAXKEYLEN)
+        len = MAXKEYLEN;
+
    if (!(ep = (*kp->getcrypt)(*kp->modep))) {
 	if (len == 0)
 	    return;
--- a/include/unistd.h
+++ b/include/unistd.h
@ -511,6 +511,7 @@ int	 initgroups(const char *, gid_t);
 int	 iruserok(unsigned long, int, const char *, const char *);
 int	 iruserok_sa(const void *, int, int, const char *, const char *);
 int	 issetugid(void);
+void	__FreeBSD_libc_enter_restricted_mode(void);
 long	 lpathconf(const char *, int);
 #ifndef _MKDTEMP_DECLARED
 char	*mkdtemp(char *);
--- a/lib/libc/gen/Makefile.inc
+++ b/lib/libc/gen/Makefile.inc
@ -20,6 +20,7 @@ SRCS+=  __getosreldate.c __xuname.c \
 	getpeereid.c getprogname.c getpwent.c getttyent.c \
 	getusershell.c getutxent.c getvfsbyname.c glob.c \
 	initgroups.c isatty.c isinf.c isnan.c jrand48.c lcong48.c \
+	libc_dlopen.c \
 	lockf.c lrand48.c mrand48.c nftw.c nice.c \
 	nlist.c nrand48.c opendir.c \
 	pause.c pmadvise.c popen.c posix_spawn.c \
--- a/lib/libc/gen/Symbol.map
+++ b/lib/libc/gen/Symbol.map
@ -381,6 +381,10 @@ FBSD_1.2 {
 	setutxent;
 };

+FBSD_1.3 {
+	__FreeBSD_libc_enter_restricted_mode;
+};
+
 FBSDprivate_1.0 {
 	/* needed by thread libraries */
 	__thr_jtable;
--- a/lib/libc/gen/libc_dlopen.c
+++ b/lib/libc/gen/libc_dlopen.c
@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 2011 Xin Li <delphij@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <dlfcn.h>
+#include <stddef.h>
+#include <unistd.h>
+
+#include "libc_private.h"
+
+/*
+ * Whether we want to restrict dlopen()s.
+ */
+static int __libc_restricted_mode = 0;
+
+void *
+libc_dlopen(const char *path, int mode)
+{
+
+	if (__libc_restricted_mode) {
+		_rtld_error("Service unavailable -- libc in restricted mode");
+		return (NULL);
+	} else
+		return (dlopen(path, mode));
+}
+
+void
+__FreeBSD_libc_enter_restricted_mode(void)
+{
+
+	__libc_restricted_mode = 1;
+	return;
+}
+
--- a/lib/libc/iconv/citrus_module.c
+++ b/lib/libc/iconv/citrus_module.c
@ -109,6 +109,7 @@
 #include "citrus_namespace.h"
 #include "citrus_bcs.h"
 #include "citrus_module.h"
+#include "libc_private.h"

 static int		 _getdewey(int[], char *);
 static int		 _cmpndewey(int[], int, int[], int);
@ -294,7 +295,7 @@ _citrus_load_module(_citrus_module_t *rhandle, const char *encname)
 	p = _findshlib(path, &maj, &min);
 	if (!p)
 		return (EINVAL);
-	handle = dlopen(p, RTLD_LAZY);
+	handle = libc_dlopen(p, RTLD_LAZY);
 	if (!handle) {
 		printf("%s", dlerror());
 		return (EINVAL);
--- a/lib/libc/include/libc_private.h
+++ b/lib/libc/include/libc_private.h
@ -43,6 +43,17 @@
 */
 extern int	__isthreaded;

+/*
+ * libc should use libc_dlopen internally, which respects a global
+ * flag where loading of new shared objects can be restricted.
+ */
+void *libc_dlopen(const char *, int);
+
+/*
+ * For dynamic linker.
+ */
+void _rtld_error(const char *fmt, ...);
+
 /*
 * File lock contention is difficult to diagnose without knowing
 * where locks were set. Allow a debug library to be built which
--- a/lib/libc/net/nsdispatch.c
+++ b/lib/libc/net/nsdispatch.c
@ -384,7 +384,7 @@ nss_configure(void)
 	confmod = statbuf.st_mtime;

 #ifdef NS_CACHING
-	handle = dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL);
+	handle = libc_dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL);
 	if (handle != NULL) {
 		nss_cache_cycle_prevention_func = dlsym(handle,
 			"_nss_cache_cycle_prevention_function");
@ -497,7 +497,7 @@ nss_load_module(const char *source, nss_module_register_fn reg_fn)
 		if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name,
 		    NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf))
 			goto fin;
-		mod.handle = dlopen(buf, RTLD_LOCAL|RTLD_LAZY);
+		mod.handle = libc_dlopen(buf, RTLD_LOCAL|RTLD_LAZY);
 		if (mod.handle == NULL) {
 #ifdef _NSS_DEBUG
 			/* This gets pretty annoying since the built-in
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@ -1562,6 +1562,7 @@ pass(char *passwd)
 			reply(550, "Can't change root.");
 			goto bad;
 		}
+		__FreeBSD_libc_enter_restricted_mode();
 	} else	/* real user w/o chroot */
 		homedir = pw->pw_dir;
 	/*
--- a/libexec/ftpd/popen.c
+++ b/libexec/ftpd/popen.c
@ -143,6 +143,9 @@ ftpd_popen(char *program, char *type)
 			}
 			(void)close(pdes[1]);
 		}
+		/* Drop privileges before proceeding */
+		if (getuid() != geteuid() && setuid(geteuid()) < 0)
+			_exit(1);
 		if (strcmp(gargv[0], _PATH_LS) == 0) {
 			/* Reset getopt for ls_main() */
 			optreset = optind = optopt = 1;