wok-current view screen/stuff/CVE-2025-46802.patch @ rev 25786
Bump gvfs to fix issue with open files on android device, patch udev to fix mtp issue on pcmanfm
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Tue Jul 29 18:05:13 2025 +0000 (2 months ago) |
| parents | |
| children |
line source
1 From 049b26b22e197ba3be9c46e5c193032e01a4724a Mon Sep 17 00:00:00 2001
2 From: Matthias Gerstner <matthias.gerstner@suse.de>
3 Date: Mon, 12 May 2025 15:15:38 +0200
4 Subject: fix CVE-2025-46802: attacher.c - prevent temporary 0666 mode on PTYs
6 This temporary chmod of the PTY to mode 0666 is most likely a remnant of
7 past times, before the PTY file descriptor was passed to the target
8 session via the UNIX domain socket.
10 This chmod() causes a race condition during which any other user in the
11 system can open the PTY for reading and writing, and thus allows PTY
12 hijacking.
14 Simply remove this logic completely.
15 ---
16 src/attacher.c | 27 ---------------------------
17 src/screen.c | 19 -------------------
18 2 files changed, 46 deletions(-)
20 diff --git a/attacher.c b/attacher.c
21 index c35ae7a..16b151e 100644
22 --- a/attacher.c
23 +++ b/attacher.c
24 @@ -73,7 +73,6 @@ extern int MasterPid, attach_fd;
25 #ifdef MULTIUSER
26 extern char *multi;
27 extern int multiattach, multi_uid, own_uid;
28 -extern int tty_mode, tty_oldmode;
29 # ifndef USE_SETEUID
30 static int multipipe[2];
31 # endif
32 @@ -160,9 +159,6 @@ int how;
34 if (pipe(multipipe))
35 Panic(errno, "pipe");
36 - if (chmod(attach_tty, 0666))
37 - Panic(errno, "chmod %s", attach_tty);
38 - tty_oldmode = tty_mode;
39 eff_uid = -1; /* make UserContext fork */
40 real_uid = multi_uid;
41 if ((ret = UserContext()) <= 0)
42 @@ -174,11 +170,6 @@ int how;
43 Panic(errno, "UserContext");
44 close(multipipe[1]);
45 read(multipipe[0], &dummy, 1);
46 - if (tty_oldmode >= 0)
47 - {
48 - chmod(attach_tty, tty_oldmode);
49 - tty_oldmode = -1;
50 - }
51 ret = UserStatus();
52 #ifdef LOCK
53 if (ret == SIG_LOCK)
54 @@ -224,9 +215,6 @@ int how;
55 xseteuid(multi_uid);
56 xseteuid(own_uid);
57 #endif
58 - if (chmod(attach_tty, 0666))
59 - Panic(errno, "chmod %s", attach_tty);
60 - tty_oldmode = tty_mode;
61 }
62 # endif /* USE_SETEUID */
63 #endif /* MULTIUSER */
64 @@ -423,13 +411,6 @@ int how;
65 ContinuePlease = 0;
66 # ifndef USE_SETEUID
67 close(multipipe[1]);
68 -# else
69 - xseteuid(own_uid);
70 - if (tty_oldmode >= 0)
71 - if (chmod(attach_tty, tty_oldmode))
72 - Panic(errno, "chmod %s", attach_tty);
73 - tty_oldmode = -1;
74 - xseteuid(real_uid);
75 # endif
76 }
77 #endif
78 @@ -505,14 +486,6 @@ AttacherFinit SIGDEFARG
79 close(s);
80 }
81 }
82 -#ifdef MULTIUSER
83 - if (tty_oldmode >= 0)
84 - {
85 - if (setuid(own_uid))
86 - Panic(errno, "setuid");
87 - chmod(attach_tty, tty_oldmode);
88 - }
89 -#endif
90 exit(0);
91 SIGRETURN;
92 }
93 diff --git a/screen.c b/screen.c
94 index 7653cd1..1a23e1a 100644
95 --- a/screen.c
96 +++ b/screen.c
97 @@ -230,8 +230,6 @@ char *multi_home;
98 int multi_uid;
99 int own_uid;
100 int multiattach;
101 -int tty_mode;
102 -int tty_oldmode = -1;
103 #endif
105 char HostName[MAXSTR];
106 @@ -1009,9 +1007,6 @@ int main(int ac, char** av)
108 /* ttyname implies isatty */
109 SetTtyname(true, &st);
110 -#ifdef MULTIUSER
111 - tty_mode = (int)st.st_mode & 0777;
112 -#endif
114 fl = fcntl(0, F_GETFL, 0);
115 if (fl != -1 && (fl & (O_RDWR|O_RDONLY|O_WRONLY)) == O_RDWR)
116 @@ -2170,20 +2165,6 @@ DEFINE_VARARGS_FN(Panic)
117 if (D_userpid)
118 Kill(D_userpid, SIG_BYE);
119 }
120 -#ifdef MULTIUSER
121 - if (tty_oldmode >= 0) {
122 -
123 -# ifdef USE_SETEUID
124 - if (setuid(own_uid))
125 - xseteuid(own_uid); /* may be a loop. sigh. */
126 -# else
127 - setuid(own_uid);
128 -# endif
129 -
130 - debug1("Panic: changing back modes from %s\n", attach_tty);
131 - chmod(attach_tty, tty_oldmode);
132 - }
133 -#endif
134 eexit(1);
135 }
137 --
138 cgit v1.1