r733 - in trunk: linux vim

jeremy at linuxfromscratch.org jeremy at linuxfromscratch.org
Thu Dec 30 22:21:39 PST 2004


Author: jeremy
Date: 2004-12-30 23:21:39 -0700 (Thu, 30 Dec 2004)
New Revision: 733

Added:
   trunk/linux/linux-2.6.10-security_fix-1.patch
   trunk/vim/vim-6.3-security_fix-1.patch
Log:
Added Kernel 2.6.10 security vuln and vim security vuln patches to archive.

Added: trunk/linux/linux-2.6.10-security_fix-1.patch
===================================================================
--- trunk/linux/linux-2.6.10-security_fix-1.patch	2004-12-29 00:58:16 UTC (rev 732)
+++ trunk/linux/linux-2.6.10-security_fix-1.patch	2004-12-31 06:21:39 UTC (rev 733)
@@ -0,0 +1,50 @@
+Submitted By: Matthew Burgess <matthew at linuxfromscratch.org>
+Date: 2004-12-30
+Initial Package Version: 2.6.10
+Upstream Status: Not Sent - Already aware
+Origin: http://www.uwsg.iu.edu/hypermail/linux/kernel/0412.3/0792.html
+Description: Taken from the URL above:  It is unsafe to have capabilities
+             compiled as a module, or at least loaded after any untrusted
+             processes start.  Fix this problem by having the dummy module track
+             capabilities.
+
+diff -Naur linux-2.6.10.orig/security/dummy.c linux-2.6.10/security/dummy.c
+--- linux-2.6.10.orig/security/dummy.c	2004-12-24 21:34:26.000000000 +0000
++++ linux-2.6.10/security/dummy.c	2004-12-30 10:41:11.000000000 +0000
+@@ -74,12 +74,10 @@
+ 
+ static int dummy_capable (struct task_struct *tsk, int cap)
+ {
+-	if (cap_is_fs_cap (cap) ? tsk->fsuid == 0 : tsk->euid == 0)
+-		/* capability granted */
++	if (cap_raised (tsk->cap_effective, cap))
+ 		return 0;
+-
+-	/* capability denied */
+-	return -EPERM;
++	else
++		return -EPERM;
+ }
+ 
+ static int dummy_sysctl (ctl_table * table, int op)
+@@ -191,6 +189,10 @@
+ 
+ 	current->suid = current->euid = current->fsuid = bprm->e_uid;
+ 	current->sgid = current->egid = current->fsgid = bprm->e_gid;
++
++	dummy_capget(current, &current->cap_effective,
++	&current->cap_inheritable,
++	&current->cap_permitted);
+ }
+ 
+ static int dummy_bprm_set_security (struct linux_binprm *bprm)
+@@ -550,6 +552,9 @@
+ 
+ static int dummy_task_post_setuid (uid_t id0, uid_t id1, uid_t id2, int flags)
+ {
++	dummy_capget(current, &current->cap_effective,
++	&current->cap_inheritable,
++	&current->cap_permitted);
+ 	return 0;
+ }
+ 

Added: trunk/vim/vim-6.3-security_fix-1.patch
===================================================================
--- trunk/vim/vim-6.3-security_fix-1.patch	2004-12-29 00:58:16 UTC (rev 732)
+++ trunk/vim/vim-6.3-security_fix-1.patch	2004-12-31 06:21:39 UTC (rev 733)
@@ -0,0 +1,219 @@
+Submitted By: Matthew Burgess <matthew at linuxfromscratch.org>
+Date: 2004-12-30
+Initial Package Version: 6.3
+Upstream Status: From Upstream
+Origin: ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.045
+Description: Fixes a security issue with vim's modeline handling
+
+diff -Naur vim63.orig/runtime/doc/options.txt vim63/runtime/doc/options.txt
+--- vim63.orig/runtime/doc/options.txt	2004-06-07 09:05:19.000000000 +0000
++++ vim63/runtime/doc/options.txt	2004-12-30 11:00:23.971481608 +0000
+@@ -1,4 +1,4 @@
+-*options.txt*	For Vim version 6.3.  Last change: 2004 Jun 01
++*options.txt*	For Vim version 6.3.  Last change: 2004 Dec 09
+ 
+ 
+ 		  VIM REFERENCE MANUAL	  by Bram Moolenaar
+@@ -139,6 +139,9 @@
+ (the ^[ is a real <Esc> here, use CTRL-V <Esc> to enter it)
+ The advantage over a mapping is that it works in all situations.
+ 
++The t_xx options cannot be set from a |modeline| or in the |sandbox|, for
++security reasons.
++
+ The listing from ":set" looks different from Vi.  Long string options are put
+ at the end of the list.  The number of options is quite large.	The output of
+ "set all" probably does not fit on the screen, causing Vim to give the
+@@ -945,6 +948,7 @@
+ 	accidentally overwriting existing files with a backup file.  You might
+ 	prefer using ".bak", but make sure that you don't have files with
+ 	".bak" that you want to keep.
++	Only normal file name characters can be used, "/\*?[|<>" are illegal.
+ 
+ 						*'backupskip'* *'bsk'*
+ 'backupskip' 'bsk'	string	(default: "/tmp/*,$TMPDIR/*,$TMP/*,$TEMP/*")
+@@ -2407,6 +2411,7 @@
+ 	type that is actually stored with the file.
+ 	This option is not copied to another buffer, independent of the 's' or
+ 	'S' flag in 'cpoptions'.
++	Only normal file name characters can be used, "/\*?[|<>" are illegal.
+ 
+ 						*'fillchars'* *'fcs'*
+ 'fillchars' 'fcs'	string	(default "vert:|,fold:-")
+@@ -3599,6 +3604,7 @@
+ 	Setting this option to a valid keymap name has the side effect of
+ 	setting 'iminsert' to one, so that the keymap becomes effective.
+ 	'imsearch' is also set to one, unless it was -1
++	Only normal file name characters can be used, "/\*?[|<>" are illegal.
+ 
+ 					*'keymodel'* *'km'*
+ 'keymodel' 'km'		string	(default "")
+@@ -3690,6 +3696,7 @@
+ 	matter what $LANG is set to: >
+ 		:set langmenu=nl_NL.ISO_8859-1
+ <	When 'langmenu' is empty, |v:lang| is used.
++	Only normal file name characters can be used, "/\*?[|<>" are illegal.
+ 	If your $LANG is set to a non-English language but you do want to use
+ 	the English menus: >
+ 		:set langmenu=none
+@@ -4310,6 +4317,7 @@
+ 	Using 'patchmode' for compressed files appends the extension at the
+ 	end (e.g., "file.gz.orig"), thus the resulting name isn't always
+ 	recognized as a compressed file.
++	Only normal file name characters can be used, "/\*?[|<>" are illegal.
+ 
+ 					*'path'* *'pa'* *E343* *E345* *E347*
+ 'path' 'pa'		string	(default on Unix: ".,/usr/include,,"
+@@ -4424,6 +4432,8 @@
+ 	in the standard printer dialog.
+ 	If the option is empty, then vim will use the system default printer
+ 	for ":hardcopy!"
++	This option cannot be set from a |modeline| or in the |sandbox|, for
++	security reasons.
+ 
+ 					*'printencoding'* *'penc'* *E620*
+ 'printencoding' 'penc'	String	(default empty, except for:
+@@ -5711,6 +5721,7 @@
+ 	Syntax autocommand event is triggered with the value as argument.
+ 	This option is not copied to another buffer, independent of the 's' or
+ 	'S' flag in 'cpoptions'.
++	Only normal file name characters can be used, "/\*?[|<>" are illegal.
+ 
+ 					*'tabstop'* *'ts'*
+ 'tabstop' 'ts'		number	(default 8)
+@@ -6089,6 +6100,8 @@
+ 	This option will be used for the window title when exiting Vim if the
+ 	original title cannot be restored.  Only happens if 'title' is on or
+ 	'titlestring' is not empty.
++	This option cannot be set from a |modeline| or in the |sandbox|, for
++	security reasons.
+ 						*'titlestring'*
+ 'titlestring'		string	(default "")
+ 			global
+diff -Naur vim63.orig/src/option.c vim63/src/option.c
+--- vim63.orig/src/option.c	2004-05-15 10:20:06.000000000 +0000
++++ vim63/src/option.c	2004-12-30 11:00:23.966482368 +0000
+@@ -293,6 +293,7 @@
+ #define P_SECURE	0x40000L/* cannot change in modeline or secure mode */
+ #define P_GETTEXT	0x80000L/* expand default value with _() */
+ #define P_NOGLOB       0x100000L/* do not use local value for global vimrc */
++#define P_NFNAME       0x200000L/* only normal file name chars allowed */
+ 
+ /*
+  * options[] is initialized here.
+@@ -413,7 +414,7 @@
+     {"backupdir",   "bdir", P_STRING|P_EXPAND|P_VI_DEF|P_COMMA|P_NODUP|P_SECURE,
+ 			    (char_u *)&p_bdir, PV_NONE,
+ 			    {(char_u *)DFLT_BDIR, (char_u *)0L}},
+-    {"backupext",   "bex",  P_STRING|P_VI_DEF,
++    {"backupext",   "bex",  P_STRING|P_VI_DEF|P_NFNAME,
+ 			    (char_u *)&p_bex, PV_NONE,
+ 			    {
+ #ifdef VMS
+@@ -846,7 +847,7 @@
+     {"fileformats", "ffs",  P_STRING|P_VIM|P_COMMA|P_NODUP,
+ 			    (char_u *)&p_ffs, PV_NONE,
+ 			    {(char_u *)DFLT_FFS_VI, (char_u *)DFLT_FFS_VIM}},
+-    {"filetype",    "ft",   P_STRING|P_ALLOCED|P_VI_DEF|P_NOGLOB,
++    {"filetype",    "ft",   P_STRING|P_ALLOCED|P_VI_DEF|P_NOGLOB|P_NFNAME,
+ #ifdef FEAT_AUTOCMD
+ 			    (char_u *)&p_ft, PV_FT,
+ 			    {(char_u *)"", (char_u *)0L}
+@@ -1284,7 +1285,7 @@
+ 			    {(char_u *)0L, (char_u *)0L}
+ #endif
+ 			    },
+-    {"keymap",	    "kmp",  P_STRING|P_ALLOCED|P_VI_DEF|P_RBUF|P_RSTAT,
++    {"keymap",	    "kmp",  P_STRING|P_ALLOCED|P_VI_DEF|P_RBUF|P_RSTAT|P_NFNAME,
+ #ifdef FEAT_KEYMAP
+ 			    (char_u *)&p_keymap, PV_KMAP,
+ 			    {(char_u *)"", (char_u *)0L}
+@@ -1330,7 +1331,7 @@
+ 			    {(char_u *)NULL,
+ #endif
+ 				(char_u *)0L}},
+-    {"langmenu",    "lm",   P_STRING|P_VI_DEF,
++    {"langmenu",    "lm",   P_STRING|P_VI_DEF|P_NFNAME,
+ #if defined(FEAT_MENU) && defined(FEAT_MULTI_LANG)
+ 			    (char_u *)&p_lm, PV_NONE,
+ #else
+@@ -1562,7 +1563,7 @@
+ 			    {(char_u *)0L, (char_u *)0L}
+ #endif
+ 			    },
+-    {"patchmode",   "pm",   P_STRING|P_VI_DEF,
++    {"patchmode",   "pm",   P_STRING|P_VI_DEF|P_NFNAME,
+ 			    (char_u *)&p_pm, PV_NONE,
+ 			    {(char_u *)"", (char_u *)0L}},
+     {"path",	    "pa",   P_STRING|P_EXPAND|P_VI_DEF|P_COMMA|P_NODUP,
+@@ -1595,7 +1596,7 @@
+ 			    (char_u *)NULL, PV_NONE,
+ #endif
+ 			    {(char_u *)FALSE, (char_u *)0L}},
+-    {"printdevice", "pdev", P_STRING|P_VI_DEF,
++    {"printdevice", "pdev", P_STRING|P_VI_DEF|P_SECURE,
+ #ifdef FEAT_PRINTER
+ 			    (char_u *)&p_pdev, PV_NONE,
+ 			    {(char_u *)"", (char_u *)0L}
+@@ -1981,7 +1982,7 @@
+     {"switchbuf",   "swb",  P_STRING|P_VI_DEF|P_COMMA|P_NODUP,
+ 			    (char_u *)&p_swb, PV_NONE,
+ 			    {(char_u *)"", (char_u *)0L}},
+-    {"syntax",	    "syn",  P_STRING|P_ALLOCED|P_VI_DEF|P_NOGLOB,
++    {"syntax",	    "syn",  P_STRING|P_ALLOCED|P_VI_DEF|P_NOGLOB|P_NFNAME,
+ #ifdef FEAT_SYN_HL
+ 			    (char_u *)&p_syn, PV_SYN,
+ 			    {(char_u *)"", (char_u *)0L}
+@@ -2086,7 +2087,7 @@
+ 			    (char_u *)NULL, PV_NONE,
+ #endif
+ 			    {(char_u *)85L, (char_u *)0L}},
+-    {"titleold",    NULL,   P_STRING|P_VI_DEF|P_GETTEXT,
++    {"titleold",    NULL,   P_STRING|P_VI_DEF|P_GETTEXT|P_SECURE,
+ #ifdef FEAT_TITLE
+ 			    (char_u *)&p_titleold, PV_NONE,
+ 			    {(char_u *)N_("Thanks for flying Vim"),
+@@ -2321,7 +2322,7 @@
+ 			    {(char_u *)0L, (char_u *)0L}},
+ 
+ /* terminal output codes */
+-#define p_term(sss, vvv)   {sss, NULL, P_STRING|P_VI_DEF|P_RALL, \
++#define p_term(sss, vvv)   {sss, NULL, P_STRING|P_VI_DEF|P_RALL|P_SECURE, \
+ 			    (char_u *)&vvv, PV_NONE, \
+ 			    {(char_u *)"", (char_u *)0L}},
+ 
+@@ -3302,7 +3303,8 @@
+ 	errmsg = NULL;
+ 	startarg = arg;		/* remember for error message */
+ 
+-	if (STRNCMP(arg, "all", 3) == 0 && !isalpha(arg[3]))
++	if (STRNCMP(arg, "all", 3) == 0 && !isalpha(arg[3])
++						&& !(opt_flags & OPT_MODELINE))
+ 	{
+ 	    /*
+ 	     * ":set all"  show all options.
+@@ -3318,7 +3320,7 @@
+ 	    else
+ 		showoptions(1, opt_flags);
+ 	}
+-	else if (STRNCMP(arg, "termcap", 7) == 0)
++	else if (STRNCMP(arg, "termcap", 7) == 0 && !(opt_flags & OPT_MODELINE))
+ 	{
+ 	    showoptions(2, opt_flags);
+ 	    show_termcodes();
+@@ -4604,6 +4606,15 @@
+ 	errmsg = e_secure;
+     }
+ 
++    /* Check for a "normal" file name in some options.  Disallow a path
++     * separator (slash and/or backslash), wildcards and characters that are
++     * often illegal in a file name. */
++    else if ((options[opt_idx].flags & P_NFNAME)
++				   && vim_strpbrk(*varp, "/\\*?[|<>") != NULL)
++    {
++	errmsg = e_invarg;
++    }
++
+     /* 'term' */
+     else if (varp == &T_NAME)
+     {




More information about the patches mailing list