abuse-0.7.1.158-security.patch on Ticket #25 – Attachment – Abuse

src/cache.cpp

     char *prefix="c:\\";
 #else
     char const *prefix = "/tmp/";     // for UNIX store lisp cache in tmp dir
     int flags = O_CREAT | O_RDWR;
+    int flags = O_CREAT | O_EXCL | O_RDWR;
 #endif
+    // drop privileges prior to creating file.
+    uid_t euid;
+    gid_t egid;
+    euid = geteuid();
+    egid = getegid();
+    if(setgid(getgid()) != 0 || setuid(getuid()) != 0) {
+        printf("Error : can not drop privileges");
+        return;
+    }
     int cfail = 1, num = 0;
     do
+    {
 …
     } while (cfail && num<15);
+    setuid(euid);
+    setgid(egid);
     if (cfail)
+    {
         fprintf(stderr,"Error : Unable to open cache file for compiled code.\n"

     else if (!strcmp(argv[i],"-f"))
+    {
       i++;
+      strcpy(level_file,argv[i]);
+      strncpy(level_file,argv[i],sizeof(level_file)-1);
+      level_file[sizeof(level_file)-1] = '\0';
     } else if (!strcmp(argv[i],"-2"))
       start_doubled=1;
     else if (!strcmp(argv[i],"-demo"))

 void fast_load_start_recording(char *filename)
+{
+    // drop privileges prior to creating file.
+    uid_t euid;
+    gid_t egid;
+    euid = geteuid();
+    egid = getegid();
+    if(setgid(getgid()) != 0 || setuid(getuid()) != 0) {
+        dprintf("Specs : can not drop privileges");
+        return;
+    }
     fast_load_fd = ::open(filename,O_CREAT|O_RDWR,S_IRWXU | S_IRWXG | S_IRWXO);
     fast_load_mode = 1;
+    setuid(euid);
+    setgid(egid);
+}
 void fast_load_stop_recording()


85	85	else if( !strcmp( argv[i], "-net" ) && i < argc-1 )
86	86	{
87	87	i++;
88		strcpy( main_net_cfg->server_name, argv[i] );
	88	strncpy(main_net_cfg->server_name,argv[i],sizeof(main_net_cfg->server_name)-1);
	89	main_net_cfg->server_name[sizeof(main_net_cfg->server_name)-1]='\0';
89	90	main_net_cfg->state = net_configuration::CLIENT;
90	91	}
91	92	else if (!strcmp(argv[i],"-ndb"))

   if (fp->open_failure())
+  {
     delete fp;
     sprintf(fn,"art/%s",filename);
+    snprintf(fn,sizeof(fn),"art/%s",filename);
     fp=open_file(fn,"rb");
     if (fp->open_failure())
+    {
 …
     char *cachepath;
     cachepath = (char *)malloc( strlen( get_save_filename_prefix() ) + 12 + 1 );
     sprintf( cachepath, "%ssd_cache.tmp", get_save_filename_prefix() );
+    snprintf( cachepath, sizeof(cachepath), "%ssd_cache.tmp", get_save_filename_prefix() );
     bFILE *load = open_file( cachepath, "rb" );
     if( !load->open_failure() )
 …
       if (!strcmp(argv[i],"-a"))
+      {
     i++;
     sprintf(lsf,"addon/%s/%s.lsp",argv[i],argv[i]);
+    snprintf(lsf,sizeof(lsf),"addon/%s/%s.lsp",argv[i],argv[i]);
+      }
+    }
   } else if (!get_remote_lsf(net_server,lsf))
 …
   c_target=cache.reg("art/dev.spe","c_target",SPEC_IMAGE,0);
   sprintf(prog,"(load \"%s\")\n",lsf);
+  snprintf(prog,sizeof(prog),"(load \"%s\")\n",lsf);
   cs=prog;
   if (!eval(compile(cs)))
 …
   for (int z=0;z<=11;z++)
+  {
     char nm[10];
     sprintf(nm,"l%d",z);
+    snprintf(nm,sizeof(nm),"l%d",z);
     light_buttons[z]=cache.reg("art/dev.spe",nm,SPEC_IMAGE,0);
+  }
 …
   char fn[100];
   char *s;
   sprintf(fn,"%s",name);
+  snprintf(fn,sizeof(fn),"%s",name);
   bFILE *fp=open_file(fn,"rb");
   if (fp->open_failure())
+  {