diff options
Diffstat (limited to 'main/openrc/0014-checkpath-replace-mkdir-with-mkdirat.patch')
-rw-r--r-- | main/openrc/0014-checkpath-replace-mkdir-with-mkdirat.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/main/openrc/0014-checkpath-replace-mkdir-with-mkdirat.patch b/main/openrc/0014-checkpath-replace-mkdir-with-mkdirat.patch new file mode 100644 index 00000000000..8f3d55db5de --- /dev/null +++ b/main/openrc/0014-checkpath-replace-mkdir-with-mkdirat.patch @@ -0,0 +1,33 @@ +From 00ea2166081856774f24f7243126f701c7fe6db9 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Wed, 25 Nov 2020 07:15:50 -0500 +Subject: [PATCH] src/rc/checkpath.c: replace mkdir() with mkdirat(). + +The do_check() function recently gained some defenses against symlink +replacement attacks that involve the use of *at functions in place of +their vanilla counterparts; openat() instead of open(), for example. +One opportunity to replace mkdir() with mkdirat() was missed, however, +and this commit replaces it. + +This fixes #386. +--- + src/rc/checkpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c +index 6422446a1..1e570de92 100644 +--- a/src/rc/checkpath.c ++++ b/src/rc/checkpath.c +@@ -197,10 +197,10 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode, + mode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH; + u = umask(0); + /* We do not recursively create parents */ +- r = mkdir(path, mode); ++ r = mkdirat(dirfd, name, mode); + umask(u); + if (r == -1 && errno != EEXIST) { +- eerror("%s: mkdir: %s", applet, ++ eerror("%s: mkdirat: %s", applet, + strerror (errno)); + return -1; + } |