Andrew Geissler | d25ed32 | 2020-06-27 00:28:28 -0500 | [diff] [blame] | 1 | From 156a5fd297b61bce31630d7a52c15614bf784843 Mon Sep 17 00:00:00 2001 |
| 2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> |
| 3 | Date: Sun, 31 May 2020 18:21:09 +0200 |
| 4 | Subject: [PATCH 1/1] basic/user-util: always use base 10 for user/group |
| 5 | numbers |
| 6 | |
| 7 | We would parse numbers with base prefixes as user identifiers. For example, |
| 8 | "0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be |
| 9 | interpreted as UID==1000. This parsing was used also in cases where either a |
| 10 | user/group name or number may be specified. This means that names like |
| 11 | 0x2b3bfa0 would be ambiguous: they are a valid user name according to our |
| 12 | documented relaxed rules, but they would also be parsed as numeric uids. |
| 13 | |
| 14 | This behaviour is definitely not expected by users, since tools generally only |
| 15 | accept decimal numbers (e.g. id, getent passwd), while other tools only accept |
| 16 | user names and thus will interpret such strings as user names without even |
| 17 | attempting to convert them to numbers (su, ssh). So let's follow suit and only |
| 18 | accept numbers in decimal notation. Effectively this means that we will reject |
| 19 | such strings as a username/uid/groupname/gid where strict mode is used, and try |
| 20 | to look up a user/group with such a name in relaxed mode. |
| 21 | |
| 22 | Since the function changed is fairly low-level and fairly widely used, this |
| 23 | affects multiple tools: loginctl show-user/enable-linger/disable-linger foo', |
| 24 | the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d, |
| 25 | etc. |
| 26 | |
| 27 | Fixes #15985. |
| 28 | --- |
| 29 | src/basic/user-util.c | 2 +- |
| 30 | src/test/test-user-util.c | 10 ++++++++++ |
| 31 | 2 files changed, 11 insertions(+), 1 deletion(-) |
| 32 | |
| 33 | --- end of commit 156a5fd297b61bce31630d7a52c15614bf784843 --- |
| 34 | |
| 35 | |
| 36 | Add definition of safe_atou32_full() from commit b934ac3d6e7dcad114776ef30ee9098693e7ab7e |
| 37 | |
| 38 | CVE: CVE-2020-13776 |
| 39 | |
| 40 | Upstream-Status: Backport [https://github.com/systemd/systemd.git] |
| 41 | |
| 42 | Signed-off-by: Joe Slater <joe.slater@windriver.com> |
| 43 | |
| 44 | |
| 45 | |
| 46 | --- git.orig/src/basic/user-util.c |
| 47 | +++ git/src/basic/user-util.c |
| 48 | @@ -49,7 +49,7 @@ int parse_uid(const char *s, uid_t *ret) |
| 49 | assert(s); |
| 50 | |
| 51 | assert_cc(sizeof(uid_t) == sizeof(uint32_t)); |
| 52 | - r = safe_atou32(s, &uid); |
| 53 | + r = safe_atou32_full(s, 10, &uid); |
| 54 | if (r < 0) |
| 55 | return r; |
| 56 | |
| 57 | --- git.orig/src/test/test-user-util.c |
| 58 | +++ git/src/test/test-user-util.c |
| 59 | @@ -48,9 +48,19 @@ static void test_parse_uid(void) { |
| 60 | |
| 61 | r = parse_uid("65535", &uid); |
| 62 | assert_se(r == -ENXIO); |
| 63 | + assert_se(uid == 100); |
| 64 | + |
| 65 | + r = parse_uid("0x1234", &uid); |
| 66 | + assert_se(r == -EINVAL); |
| 67 | + assert_se(uid == 100); |
| 68 | + |
| 69 | + r = parse_uid("01234", &uid); |
| 70 | + assert_se(r == 0); |
| 71 | + assert_se(uid == 1234); |
| 72 | |
| 73 | r = parse_uid("asdsdas", &uid); |
| 74 | assert_se(r == -EINVAL); |
| 75 | + assert_se(uid == 1234); |
| 76 | } |
| 77 | |
| 78 | static void test_uid_ptr(void) { |
| 79 | --- git.orig/src/basic/parse-util.h |
| 80 | +++ git/src/basic/parse-util.h |
| 81 | @@ -45,9 +45,13 @@ static inline int safe_atoux16(const cha |
| 82 | |
| 83 | int safe_atoi16(const char *s, int16_t *ret); |
| 84 | |
| 85 | -static inline int safe_atou32(const char *s, uint32_t *ret_u) { |
| 86 | +static inline int safe_atou32_full(const char *s, unsigned base, uint32_t *ret_u) { |
| 87 | assert_cc(sizeof(uint32_t) == sizeof(unsigned)); |
| 88 | - return safe_atou(s, (unsigned*) ret_u); |
| 89 | + return safe_atou_full(s, base, (unsigned*) ret_u); |
| 90 | +} |
| 91 | + |
| 92 | +static inline int safe_atou32(const char *s, uint32_t *ret_u) { |
| 93 | + return safe_atou32_full(s, 0, (unsigned*) ret_u); |
| 94 | } |
| 95 | |
| 96 | static inline int safe_atoi32(const char *s, int32_t *ret_i) { |