Ticket #25: abuse-0.7.1.158-security.patch

File abuse-0.7.1.158-security.patch, 3.6 KB (added by guest, 10 years ago)
  • src/cache.cpp

     
    678678    char *prefix="c:\\";
    679679#else
    680680    char const *prefix = "/tmp/";     // for UNIX store lisp cache in tmp dir
    681     int flags = O_CREAT | O_RDWR;
     681    int flags = O_CREAT | O_EXCL | O_RDWR;
    682682#endif
    683683
     684    // drop privileges prior to creating file.
     685    uid_t euid;
     686    gid_t egid;
     687    euid = geteuid();
     688    egid = getegid();
     689
     690    if(setgid(getgid()) != 0 || setuid(getuid()) != 0) {
     691        printf("Error : can not drop privileges");
     692        return;
     693    }
     694
    684695    int cfail = 1, num = 0;
    685696    do
    686697    {
     
    704715
    705716    } while (cfail && num<15);
    706717
     718    setuid(euid);
     719    setgid(egid);
     720
    707721    if (cfail)
    708722    {
    709723        fprintf(stderr,"Error : Unable to open cache file for compiled code.\n"
  • src/dev.cpp

     
    866866    else if (!strcmp(argv[i],"-f"))
    867867    {
    868868      i++;
    869       strcpy(level_file,argv[i]);
     869      strncpy(level_file,argv[i],sizeof(level_file)-1);
     870      level_file[sizeof(level_file)-1] = '\0';
    870871    } else if (!strcmp(argv[i],"-2"))
    871872      start_doubled=1;
    872873    else if (!strcmp(argv[i],"-demo"))
  • src/imlib/specs.cpp

     
    290290
    291291void fast_load_start_recording(char *filename)
    292292{
     293    // drop privileges prior to creating file.
     294    uid_t euid;
     295    gid_t egid;
     296    euid = geteuid();
     297    egid = getegid();
     298
     299    if(setgid(getgid()) != 0 || setuid(getuid()) != 0) {
     300        dprintf("Specs : can not drop privileges");
     301        return;
     302    }
     303
    293304    fast_load_fd = ::open(filename,O_CREAT|O_RDWR,S_IRWXU | S_IRWXG | S_IRWXO);
    294305    fast_load_mode = 1;
     306
     307    setuid(euid);
     308    setgid(egid);
    295309}
    296310
    297311void fast_load_stop_recording()
  • src/innet.cpp

     
    8585        else if( !strcmp( argv[i], "-net" ) && i < argc-1 )
    8686        {
    8787            i++;
    88             strcpy( main_net_cfg->server_name, argv[i] );
     88            strncpy(main_net_cfg->server_name,argv[i],sizeof(main_net_cfg->server_name)-1);
     89            main_net_cfg->server_name[sizeof(main_net_cfg->server_name)-1]='\0';
    8990            main_net_cfg->state = net_configuration::CLIENT;
    9091        }
    9192        else if (!strcmp(argv[i],"-ndb"))
  • src/loader2.cpp

     
    9393  if (fp->open_failure())
    9494  {
    9595    delete fp;
    96     sprintf(fn,"art/%s",filename);
     96    snprintf(fn,sizeof(fn),"art/%s",filename);
    9797    fp=open_file(fn,"rb");
    9898    if (fp->open_failure())
    9999    {
     
    296296
    297297    char *cachepath;
    298298    cachepath = (char *)malloc( strlen( get_save_filename_prefix() ) + 12 + 1 );
    299     sprintf( cachepath, "%ssd_cache.tmp", get_save_filename_prefix() );
     299    snprintf( cachepath, sizeof(cachepath), "%ssd_cache.tmp", get_save_filename_prefix() );
    300300
    301301    bFILE *load = open_file( cachepath, "rb" );
    302302    if( !load->open_failure() )
     
    322322      if (!strcmp(argv[i],"-a"))
    323323      {
    324324    i++;
    325     sprintf(lsf,"addon/%s/%s.lsp",argv[i],argv[i]);
     325    snprintf(lsf,sizeof(lsf),"addon/%s/%s.lsp",argv[i],argv[i]);
    326326      }
    327327    }
    328328  } else if (!get_remote_lsf(net_server,lsf))
     
    339339  c_target=cache.reg("art/dev.spe","c_target",SPEC_IMAGE,0);
    340340
    341341
    342   sprintf(prog,"(load \"%s\")\n",lsf);
     342  snprintf(prog,sizeof(prog),"(load \"%s\")\n",lsf);
    343343
    344344  cs=prog;
    345345  if (!eval(compile(cs)))
     
    355355  for (int z=0;z<=11;z++)
    356356  {
    357357    char nm[10];
    358     sprintf(nm,"l%d",z);
     358    snprintf(nm,sizeof(nm),"l%d",z);
    359359    light_buttons[z]=cache.reg("art/dev.spe",nm,SPEC_IMAGE,0);
    360360  }
    361361
     
    484484  char fn[100];
    485485  char *s;
    486486
    487   sprintf(fn,"%s",name);
     487  snprintf(fn,sizeof(fn),"%s",name);
    488488  bFILE *fp=open_file(fn,"rb");
    489489  if (fp->open_failure())
    490490  {