1 |
diff -Nur smeserver-vacation-1.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/uservacations.pm smeserver-vacation-1.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/uservacations.pm |
2 |
--- smeserver-vacation-1.1.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/uservacations.pm 2017-01-16 16:12:48.728000000 -0500 |
3 |
+++ smeserver-vacation-1.1/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/uservacations.pm 2017-01-16 16:32:49.593000000 -0500 |
4 |
@@ -414,14 +414,33 @@ |
5 |
$vacation_text =~ s/\r//g; |
6 |
|
7 |
unlink $vfile; |
8 |
+ # for the next lines to avoid race condition vulnerability, we switch the effective user to |
9 |
+ # the one needed see SME #9073 . Those 4 lines are for explanation of the used variables. |
10 |
+ #$< - real user id (uid); unique value |
11 |
+ #$> - effective user id (euid); unique value |
12 |
+ #$( - real group id (gid); list (separated by spaces) of groups |
13 |
+ #$) - effective group id (egid); list (separated by spaces) of groups |
14 |
+ |
15 |
+ # remember the UID of the user currently running this script |
16 |
+ my $original_uid = $>; |
17 |
+ my $original_gid = $); |
18 |
+ |
19 |
+ # switch effective UID running this script to $user |
20 |
+ # in order to prevent race condition vulnerability |
21 |
+ my $uid = getpwnam($user) or die "Could not get UID for $user\n"; |
22 |
+ my $gid = getgrnam($user) or die "Could not get GID for $user\n"; |
23 |
+ $) = $gid;# should be switched first while still root! |
24 |
+ $> = $uid; |
25 |
+ |
26 |
open (VACATION, ">$vfile") |
27 |
or die ("Error opening vacation message.\n"); |
28 |
|
29 |
print VACATION "$vacation_text"; |
30 |
close VACATION; |
31 |
|
32 |
- esmith::util::chownFile($user, $user, |
33 |
- "/home/e-smith/files/users/$user/.vacation.msg"); |
34 |
+ # switch effective UID and GID back to original user |
35 |
+ $> = $original_uid; |
36 |
+ $) = $original_gid; |
37 |
|
38 |
$adb->set_prop($user, 'EmailVacation', $EmailVacation); |
39 |
$adb->set_prop($user, 'EmailVacationFrom', $EmailVacationFrom); |