From proff@profane.iq.org  Sat Jan 25 06:11:07 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA03530
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 25 Jan 1997 06:11:01 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id BAA12216;
          Sun, 26 Jan 1997 01:11:25 +1100 (EST)
Message-Id: <199701251411.BAA12216@profane.iq.org>
Date: Sun, 26 Jan 1997 01:11:25 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: <Synopsis of the problem (one line)> security hole in resolver routines permits limited reads of files as root
X-Send-Pr-Version: 3.2

>Number:         2578
>Category:       bin
>Synopsis:       security hole in resolver routines permits limited reads of files as root
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    imp
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 06:20:01 PST 1997
>Closed-Date:    Sun Mar 23 23:12:57 MST 1997
>Last-Modified:  Sun Mar 23 23:13:24 MST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	res_query.c will open getenv(HOSTALIAS) and read it in. while it does not
	print invalid lines, the file remains in memory. as some network programs
	setuid(getuid()) after name resolution, the data from this read can be
	got at via exmination of the process data space as user.

	

>How-To-Repeat:

	

>Fix:
	
	

	
--- src/lib/libc/net/res_query.c.orig	Sun Jan 26 01:05:40 1997
+++ src/lib/libc/net/res_query.c	Sun Jan 26 01:05:08 1997
@@ -358,6 +358,9 @@
 
 	if (_res.options & RES_NOALIASES)
 		return (NULL);
+	if (getuid() != geteuid() ||
+	    getgid() != getegid())
+		return (NULL);
 	file = getenv("HOSTALIASES");
 	if (file == NULL || (fp = fopen(file, "r")) == NULL)
 		return (NULL);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: fenner 
Responsible-Changed-When: Mon Jan 27 10:31:52 PST 1997 
Responsible-Changed-Why:  
Clean up misfiled PR 
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Sat Feb 8 23:41:53 MST 1997 
Responsible-Changed-Why:  
It's on my list to fix 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Sun Mar 23 23:12:57 MST 1997 
State-Changed-Why:  

fixed in res_query 1.13 
>Unformatted:
