[exim-cvs] CVE-2020-28012: Missing close-on-exec flag for p…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Asunto: [exim-cvs] CVE-2020-28012: Missing close-on-exec flag for privileged pipe
Gitweb: https://git.exim.org/exim.git/commitdiff/e4e3d18dad8b9b8560889f552e1060d0f83c7159
Commit:     e4e3d18dad8b9b8560889f552e1060d0f83c7159
Parent:     cf8734c3fd0823053ae3605beb8681d0957cf4a6
Author:     Qualys Security Advisory <qsa@???>
AuthorDate: Sun Feb 21 21:53:55 2021 -0800
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:54 2021 +0200


    CVE-2020-28012: Missing close-on-exec flag for privileged pipe


    (cherry picked from commit 72dad1e64bb3d1ff387938f59678098cab1f60a3)
    (cherry picked from commit 645a31d16195bb6b73f0a0d0c04b2251e5b28421)
---
 doc/doc-txt/ChangeLog | 3 +++
 src/src/rda.c         | 5 +++++
 2 files changed, 8 insertions(+)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index adf43bc..bcace27 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -302,6 +302,9 @@ QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
 QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
       runtime user.


+QS/03 When reading the output from interpreted forward files we do not
+      pass the pipe between the parent and the interpreting process to
+      executed child processes (if any).


Exim version 4.94
-----------------
diff --git a/src/src/rda.c b/src/src/rda.c
index 5615b64..fb3714e 100644
--- a/src/src/rda.c
+++ b/src/src/rda.c
@@ -618,9 +618,14 @@ search_tidyup();
if ((pid = exim_fork(US"router-interpret")) == 0)
{
header_line *waslast = header_last; /* Save last header */
+ int fd_flags = -1;

fd = pfd[pipe_write];
(void)close(pfd[pipe_read]);
+
+ if ((fd_flags = fcntl(fd, F_GETFD)) == -1) goto bad;
+ if (fcntl(fd, F_SETFD, fd_flags | FD_CLOEXEC) == -1) goto bad;
+
exim_setugid(ugid->uid, ugid->gid, FALSE, rname);

/* Addresses can get rewritten in filters; if we are not root or the exim