From 09d2732b4e299eaa06c64b7a683529e337691c59 Mon Sep 17 00:00:00 2001 From: Mike Gabriel Date: Sat, 14 Feb 2015 16:23:43 +0100 Subject: Patch system: Prepend a "0" to every patch file name in debian/patches/. Adapt only this changelog stanza to this modification. --- debian/patches/602_nx-X11_initgroups.full.patch | 67 ------------------------- 1 file changed, 67 deletions(-) delete mode 100644 debian/patches/602_nx-X11_initgroups.full.patch (limited to 'debian/patches/602_nx-X11_initgroups.full.patch') diff --git a/debian/patches/602_nx-X11_initgroups.full.patch b/debian/patches/602_nx-X11_initgroups.full.patch deleted file mode 100644 index 182b378dc..000000000 --- a/debian/patches/602_nx-X11_initgroups.full.patch +++ /dev/null @@ -1,67 +0,0 @@ -Description: Be compliant with POS36-C: Observe correct revocation order while relinquishing privileges -Author: Orion Poplawski -Abstract: - The Fedora review of NX (redistributed) caught the following rpmlint issue: - . - This executable is calling setuid and setgid without setgroups or initgroups. - There is a high probability this mean it didn't relinquish all groups, and this - would be a potential security issue to be fixed. Seek POS36-C on the web for - details about the problem. - . - Ref POS36-C: - https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges - . - This patch adds initgroups() calls to the code to initialize the supplemental group list. -diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c -index 7e62654..9b2431a 100644 ---- a/nx-X11/programs/Xserver/os/utils.c -+++ b/nx-X11/programs/Xserver/os/utils.c -@@ -112,6 +112,9 @@ OR PERFORMANCE OF THIS SOFTWARE. - #include - #include /* for isspace */ - #include -+#include -+#include -+#include - - #if defined(DGUX) - #include -@@ -1770,6 +1773,7 @@ System(char *command) - void (*csig)(int); - #endif - int status; -+ struct passwd *pwent; - - if (!command) - return(1); -@@ -1791,6 +1795,9 @@ System(char *command) - case -1: /* error */ - p = -1; - case 0: /* child */ -+ pwent = getpwuid(getuid()); -+ if (initgroups(pwent->pw_name,getgid()) == -1) -+ _exit(127); - if (setgid(getgid()) == -1) - _exit(127); - if (setuid(getuid()) == -1) -diff --git a/nxcomp/Pipe.cpp b/nxcomp/Pipe.cpp -index 7238d0c..aacbbae 100644 ---- a/nxcomp/Pipe.cpp -+++ b/nxcomp/Pipe.cpp -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - - #include "Pipe.h" - #include "Misc.h" -@@ -234,6 +235,8 @@ FILE *Popen(char * const parameters[], const char *type) - // Child. - // - -+ struct passwd *pwent = getpwuid(getuid()); -+ if (pwent) initgroups(pwent->pw_name,getgid()); - setgid(getgid()); - setuid(getuid()); - -- cgit v1.2.3