Version in base suite: 1.0.4-5 Version in overlay suite: (not present) Base version: acpid_1.0.4-5 Target version: acpid_1.0.4-5etch1 Base file: /org/ftp.debian.org/ftp/pool/main/a/acpid/acpid_1.0.4-5.dsc Target file: /org/ftp.debian.org/queue/o-p-u-new/acpid_1.0.4-5etch1.dsc acpid-1.0.4/acpid.8 | 4 +++ acpid-1.0.4/acpid.c | 46 +++++++++++++++++++++++++++++++---- acpid-1.0.4/debian/changelog | 6 ++++ acpid-1.0.4/debian/control | 1 acpid-1.0.4/event.c | 55 +++++++++++++++++++++++++++++++++++++++++++ acpid-1.0.4/ud_socket.c | 7 +++++ acpid.h | 3 ++ ud_socket.h | 3 +- 8 files changed, 118 insertions(+), 7 deletions(-) diff -u acpid-1.0.4/acpid.8 acpid-1.0.4/acpid.8 --- acpid-1.0.4/acpid.8 +++ acpid-1.0.4/acpid.8 @@ -59,6 +59,10 @@ This option changes the directory in which \fBacpid\fP looks for rule configuration files. Default is \fI/etc/acpi/events\fP. .TP 12 +.BI \-C "\fR, \fP" \--clientmax " number" +This option changes the maximum number of non-root socket connections which +can be made to the \fBacpid\fP socket. Default is \fI256\fP. +.TP 12 .BI \-d "\fR, \fP" \--debug This option increases the \fBacpid\fP debug level by one. If the debug level is non-zero, \fBacpid\fP will run in the foreground, and will log to diff -u acpid-1.0.4/acpid.c acpid-1.0.4/acpid.c --- acpid-1.0.4/acpid.c +++ acpid-1.0.4/acpid.c @@ -41,6 +41,7 @@ static int daemonize(void); static int open_logs(void); static void clean_exit(int sig); +static void clean_exit_with_status(int status); static void reopen_logs(int sig); static void reload_conf(int sig); static char *read_line(int fd); @@ -48,6 +49,9 @@ /* global debug level */ int acpid_debug; +/* the number of non-root clients that are connected */ +int non_root_clients; + static const char *progname; static const char *confdir = ACPI_CONFDIR; static const char *logfile = ACPI_LOGFILE; @@ -57,6 +61,7 @@ static const char *socketgroup; static mode_t socketmode = ACPI_SOCKETMODE; static int foreground; +static int clientmax = ACPID_CLIENTMAX; int main(int argc, char **argv) @@ -177,7 +182,7 @@ struct pollfd ar[2]; int r; int fds = 0; - + /* poll for the socket and the event file */ ar[0].fd = event_fd; ar[0].events = POLLIN; fds++; if (!nosocket) { @@ -192,6 +197,9 @@ continue; } + /* house keeping */ + acpid_close_dead_clients(); + /* was it an event? */ if (ar[0].revents) { char *event; @@ -220,13 +228,14 @@ break; } } - } + } /* was it a new connection? */ if (!nosocket && ar[1].revents) { int cli_fd; struct ucred creds; char buf[32]; + static int accept_errors; /* this shouldn't happen */ if (!ar[1].revents & POLLIN) { @@ -240,15 +249,29 @@ if (cli_fd < 0) { acpid_log("ERR: can't accept client: %s\n", strerror(errno)); + accept_errors++; + if (accept_errors >= 5) { + acpid_log("giving up\n"); + clean_exit_with_status(EXIT_FAILURE); + } + continue; + } + accept_errors = 0; + if (creds.uid != 0 && non_root_clients >= clientmax) { + close(cli_fd); + acpid_log("too many non-root clients\n"); continue; } + if (creds.uid != 0) { + non_root_clients++; + } snprintf(buf, sizeof(buf)-1, "%d[%d:%d]", creds.pid, creds.uid, creds.gid); acpid_add_client(cli_fd, buf); } } - clean_exit(EXIT_SUCCESS); + clean_exit_with_status(EXIT_SUCCESS); return 0; } @@ -261,6 +284,7 @@ { struct option opts[] = { {"confdir", 1, 0, 'c'}, + {"clientmax", 1, 0, 'C'}, {"debug", 0, 0, 'd'}, {"eventfile", 1, 0, 'e'}, {"foreground", 0, 0, 'f'}, @@ -275,6 +299,7 @@ }; const char *opts_help[] = { "Set the configuration directory.", /* confdir */ + "Set the limit on non-root socket connections.",/* clientmax */ "Increase debugging level (implies -f).",/* debug */ "Use the specified file for events.", /* eventfile */ "Run in the foreground.", /* foreground */ @@ -292,7 +317,7 @@ for (;;) { int i; - i = getopt_long(*argc, *argv, "c:de:fg:l:m:s:Svh", opts, NULL); + i = getopt_long(*argc, *argv, "c:C:de:fg:l:m:s:Svh", opts, NULL); if (i == -1) { break; } @@ -300,6 +325,9 @@ case 'c': confdir = optarg; break; + case 'C': + clientmax = strtol(optarg, NULL, 0); + break; case 'd': foreground = 1; acpid_debug++; @@ -433,11 +461,17 @@ } static void -clean_exit(int sig) +clean_exit_with_status(int status) { acpid_cleanup_rules(); acpid_log("exiting\n"); - exit(EXIT_SUCCESS); + exit(status); +} + +static void +clean_exit(int sig __attribute__((unused))) +{ + clean_exit_with_status(EXIT_SUCCESS); } static void diff -u acpid-1.0.4/event.c acpid-1.0.4/event.c --- acpid-1.0.4/event.c +++ acpid-1.0.4/event.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include #include @@ -35,6 +36,7 @@ #include #include "acpid.h" +#include "ud_socket.h" /* * What is a rule? It's polymorphic, pretty much. @@ -443,6 +445,54 @@ free(r); } +static int +client_is_dead(int fd) +{ + struct pollfd pfd; + int r; + + /* check the fd to see if it is dead */ + pfd.fd = fd; + pfd.events = POLLERR | POLLHUP; + r = poll(&pfd, 1, 0); + + if (r < 0) { + acpid_log("poll(): %s\n", strerror(errno)); + return 0; + } + + return pfd.revents; +} + +void +acpid_close_dead_clients(void) +{ + struct rule *p; + + lock_rules(); + + /* scan our client list */ + p = client_list.head; + while (p) { + struct rule *next = p->next; + if (client_is_dead(p->action.fd)) { + struct ucred cred; + /* closed */ + acpid_log("client %s has disconnected\n", p->origin); + delist_rule(&client_list, p); + ud_get_peercred(p->action.fd, &cred); + if (cred.uid != 0) { + non_root_clients--; + } + close(p->action.fd); + free_rule(p); + } + p = next; + } + + unlock_rules(); +} + /* * the main hook for propogating events */ @@ -593,9 +643,14 @@ r = safe_write(client, event, strlen(event)); if (r < 0 && errno == EPIPE) { + struct ucred cred; /* closed */ acpid_log("client has disconnected\n"); delist_rule(&client_list, rule); + ud_get_peercred(rule->action.fd, &cred); + if (cred.uid != 0) { + non_root_clients--; + } return -1; } safe_write(client, "\n", 1); diff -u acpid-1.0.4/ud_socket.c acpid-1.0.4/ud_socket.c --- acpid-1.0.4/ud_socket.c +++ acpid-1.0.4/ud_socket.c @@ -105,0 +106,7 @@ +int +ud_get_peercred(int fd, struct ucred *cred) +{ + socklen_t len = sizeof(struct ucred); + getsockopt(fd, SOL_SOCKET, SO_PEERCRED, cred, &len); + return 0; +} diff -u acpid-1.0.4/debian/control acpid-1.0.4/debian/control --- acpid-1.0.4/debian/control +++ acpid-1.0.4/debian/control @@ -2,6 +2,7 @@ Section: admin Priority: optional Maintainer: Cajus Pollmeier +Uploaders: Michael Meskes Standards-Version: 3.6.2 Build-Depends: debhelper (>= 4.1.16) diff -u acpid-1.0.4/debian/changelog acpid-1.0.4/debian/changelog --- acpid-1.0.4/debian/changelog +++ acpid-1.0.4/debian/changelog @@ -1,3 +1,9 @@ +acpid (1.0.4-5etch1) oldstable-security; urgency=high + + * Added upstream's patch to fix CVE-2009-0798 + + -- Michael Meskes Wed, 29 Apr 2009 12:26:56 +0200 + acpid (1.0.4-5) unstable; urgency=low * Fixed problem with logrotate and Xorg where the /proc/acpi/events gets only in patch2: unchanged: --- acpid-1.0.4.orig/acpid.h +++ acpid-1.0.4/acpid.h @@ -34,6 +34,7 @@ #define ACPI_LOGFILE "/var/log/acpid" #define ACPI_SOCKETFILE "/var/run/acpid.socket" #define ACPI_SOCKETMODE 0666 +#define ACPID_CLIENTMAX 256 #define ACPI_MAX_ERRS 5 #define PACKAGE "acpid" @@ -42,6 +43,7 @@ * acpid.c */ extern int acpid_debug; +extern int non_root_clients; extern int acpid_log(const char *fmt, ...); /* @@ -51,5 +53,6 @@ extern int acpid_add_client(int client, const char *origin); extern int acpid_cleanup_rules(void); extern int acpid_handle_event(const char *event); +extern void acpid_close_dead_clients(void); #endif /* ACPID_H__ */ only in patch2: unchanged: --- acpid-1.0.4.orig/ud_socket.h +++ acpid-1.0.4/ud_socket.h @@ -1,5 +1,5 @@ /* - *$Id: ud_socket.h,v 1.2 2003/11/17 21:24:58 sunthockin Exp $ + *$Id: ud_socket.h,v 1.3 2009/04/22 18:22:28 thockin Exp $ */ #ifndef UD_SOCKET_H__ @@ -11,5 +11,6 @@ int ud_create_socket(const char *name); int ud_accept(int sock, struct ucred *cred); int ud_connect(const char *name); +int ud_get_peercred(int fd, struct ucred *cred); #endif