]>
Commit | Line | Data |
---|---|---|
da19a804 JB |
1 | From Ubuntu's changelog: |
2 | * utils/statd/statd.c (patch from SGI): | |
3 | - drop_privs(): fix uninitialized st.st_gid value when running as root | |
4 | (not exploitable, but using random group ids might be confusing) | |
5 | * utils/rquotad/rquota_server.c (Arjan van de Ven): | |
6 | - getquotainfo(): do not use memcpy() to copy | |
7 | values from struct dqblk to struct rquota; on 64 bit architectures time_t | |
8 | is 64 bits wide, but the target fields are only 32 bit, thus causing a | |
9 | buffer overflow | |
10 | - CAN-2004-0946 | |
11 | ||
6183e994 AG |
12 | --- nfs-utils-1.0.6.orig/utils/statd/statd.c |
13 | +++ nfs-utils-1.0.6/utils/statd/statd.c | |
14 | @@ -179,8 +179,10 @@ | |
15 | struct stat st; | |
16 | ||
17 | if (stat(SM_DIR, &st) == -1 && | |
18 | - stat(DIR_BASE, &st) == -1) | |
19 | + stat(DIR_BASE, &st) == -1) { | |
20 | st.st_uid = 0; | |
21 | + st.st_gid = 0; | |
22 | + } | |
23 | ||
24 | if (st.st_uid == 0) { | |
25 | note(N_WARNING, "statd running as root. chown %s to choose different user\n", | |
6183e994 AG |
26 | --- nfs-utils-1.0.6.orig/utils/rquotad/rquota_server.c |
27 | +++ nfs-utils-1.0.6/utils/rquotad/rquota_server.c | |
28 | @@ -76,6 +76,7 @@ | |
29 | char *pathname, *qfpathname; | |
30 | int fd, err, id, type; | |
31 | struct stat stm, stn; | |
32 | + struct rquota *rquota; | |
33 | ||
34 | /* | |
35 | * First check authentication. | |
36 | @@ -168,8 +169,16 @@ | |
37 | * Make a copy of the info into the last part of the remote quota | |
38 | * struct which is exactly the same. | |
39 | */ | |
40 | - memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit, | |
41 | - (caddr_t *)&dq_dqb, sizeof(struct dqblk)); | |
42 | + | |
43 | + rquota = &result.getquota_rslt_u.gqr_rquota; | |
44 | + rquota->rq_bhardlimit = dq_dqb.dqb_bhardlimit; | |
45 | + rquota->rq_bsoftlimit = dq_dqb.dqb_bsoftlimit;; | |
46 | + rquota->rq_curblocks = dq_dqb.dqb_curblocks; | |
47 | + rquota->rq_fhardlimit = dq_dqb.dqb_ihardlimit; | |
48 | + rquota->rq_fsoftlimit = dq_dqb.dqb_isoftlimit; | |
49 | + rquota->rq_curfiles = dq_dqb.dqb_curinodes; | |
50 | + rquota->rq_btimeleft = dq_dqb.dqb_btime; | |
51 | + rquota->rq_ftimeleft = dq_dqb.dqb_itime; | |
52 | ||
53 | return(&result); | |
54 | } |