[X2Go-Commits] x2goserver.git - master (branch) updated: 3.1.1.3-153-g42264c8

Sun May 19 00:50:36 CEST 2013

The branch, master has been updated
       via  42264c88d7885474ebe3763b2991681ddfcfa69a (commit)
      from  8fd306d77cd3189d3084659617cb9d31b1d8e89f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 42264c88d7885474ebe3763b2991681ddfcfa69a
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Sun May 19 00:18:24 2013 +0200

    Security fix for setgid wrapper libx2go-server-db-sqlite3-wrapper.c. Hard- code path to libx2go-server-db-sqlite3-wrapper.pl during build via defining a macro in the Makefile.

-----------------------------------------------------------------------

Summary of changes:
 debian/changelog                                   |    3 ++
 debian/rules                                       |    4 +-
 libx2go-server-db-perl/Makefile                    |    3 +-
 .../src/libx2go-server-db-sqlite3-wrapper.c        |   48 ++------------------
 4 files changed, 11 insertions(+), 47 deletions(-)

The diff of changes is:

diff --git a/debian/changelog b/debian/changelog
index e30e866..4922ddb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -38,6 +38,9 @@ x2goserver (4.1.0.0-0~x2go1) UNRELEASED; urgency=low
     script is called without session as first argument and $X2GO_SESSION
     not set. (Fixes: #82).
   * Make x2goruncommand aware of the Cinnamon desktop shell. (Fixes: #117).
+  * Security fix for setgid wrapper libx2go-server-db-sqlite3-wrapper.c. Hard-
+    code path to libx2go-server-db-sqlite3-wrapper.pl during build via
+    defining a macro in the Makefile.
 
   [ Otto Kjell ]
   * New upstream version (4.1.0.0):
diff --git a/debian/rules b/debian/rules
index 43139c0..b671ca3 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,10 +1,10 @@
 #!/usr/bin/make -f
 
 %:
-	dh $@
+	PREFIX=/usr dh $@
 
 override_dh_auto_build:
-	PERL_INSTALLDIRS=vendor dh_auto_build
+	PREFIX=/usr PERL_INSTALLDIRS=vendor dh_auto_build
 
 override_dh_auto_install:
 	$(MAKE) -f Makefile build-arch
diff --git a/libx2go-server-db-perl/Makefile b/libx2go-server-db-perl/Makefile
index 67767b8..459e485 100755
--- a/libx2go-server-db-perl/Makefile
+++ b/libx2go-server-db-perl/Makefile
@@ -39,7 +39,8 @@ all: clean build
 build: build-arch build-indep
 
 build-arch:
-	$(CC) $(CFLAGS) $(LDFLAGS) -o lib/libx2go-server-db-sqlite3-wrapper src/libx2go-server-db-sqlite3-wrapper.c
+	echo $(PREFIX)
+	$(CC) $(CFLAGS) $(LDFLAGS) -DTRUSTED_BINARY=\"$(DESTDIR)$(LIBDIR)/libx2go-server-db-sqlite3-wrapper.pl\" -o lib/libx2go-server-db-sqlite3-wrapper src/libx2go-server-db-sqlite3-wrapper.c
 
 build-indep:
 
diff --git a/libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c b/libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c
index fcff47e..093abfd 100644
--- a/libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c
+++ b/libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c
@@ -28,51 +28,11 @@
 #include <errno.h>
 
 int main( int argc, char *argv[] ) {
-	char * x2gosqlitewrapper = NULL;
-	size_t path_max;
-	
-/*
-	The following snippet is taken from the realpath manpage
-*/
-#ifdef PATH_MAX
-	path_max = PATH_MAX;
-#else
-	path_max = pathconf (".", _PC_PATH_MAX);
-	if (path_max <= 0){
-		path_max = 4096;
-	}
-#endif
-	{
-		// allocate dynamic buffer in stack: this needs C99 or gnu??
-		char buffer[path_max];
-		ssize_t rvrl;
-		int rvap;
-
-		// resolve link of /proc/self/exe to find out where we are
-		rvrl = readlink("/proc/self/exe", buffer, path_max);
-		if(rvrl == -1){
-			perror("readlink(\"/proc/self/exe\",buffer,path_max)");
-			exit(EXIT_FAILURE);
-		}
-		if(rvrl >= path_max){
-			fprintf(stderr, "Could not resolve the path of this file using \"/proc/self/exe\". The path is too long (> %i)", path_max);
-			exit(EXIT_FAILURE);
-		}
-
-		// derive the full path of libx2go-server-db-sqlite3-wrapper.pl from path of this binary
-		rvap = asprintf(&x2gosqlitewrapper, "%s/%s", dirname(buffer), "libx2go-server-db-sqlite3-wrapper.pl");
-		if(rvap == -1){
-			fprintf(stderr, "Failed to allocate memory calling asprintf\n");
-			exit(EXIT_FAILURE);
-		}
-
-		// execute the script, running with user-rights of this binary 
-		execv(x2gosqlitewrapper, argv);
 
-	}
+	char x2gosqlitewrapper[] = TRUSTED_BINARY;
 
-	// ...fail
-	fprintf(stderr, "Failed to execute %s: %s\n", x2gosqlitewrapper, strerror(errno));
-	return EXIT_FAILURE;
+	argv[0] = "libx2go-server-db-sqlite3-wrapper.pl";
+	// execute the script, running with user-rights of this binary
+	execv(x2gosqlitewrapper, argv);
 
 }


hooks/post-receive
-- 
x2goserver.git (X2Go Server)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "x2goserver.git" (X2Go Server).


