Fix CVE-2011-1496

Fixes rhbz #693824

sources

@@ -1,2 +1 @@
-96e60cb206de2db0610b9fb6a64c2251  tmux-1.3.tar.gz
 0bfc7dd9a5bab192406167589c716a21  tmux-1.4.tar.gz

tmux-1.0-02_fix_wrong_location.diff

@@ -1,5 +1,6 @@
---- GNUmakefile.orig	2010-07-19 06:52:17.485212178 +0200
+# correct directory /usr/local 
-+++ GNUmakefile	2010-07-19 06:53:20.685214123 +0200
+--- a/GNUmakefile
++++ b/GNUmakefile
 @@ -23,7 +23,7 @@
  
  CC?= cc
@@ -14,7 +15,7 @@
  endif
  
 -PREFIX?= /usr/local
-+PREFIX?= /usr
++PREFIX?= /usr/
  INSTALL?= install
  INSTALLDIR= $(INSTALL) -d
  INSTALLBIN= $(INSTALL) -m 555
@@ -24,12 +25,12 @@
  		$(INSTALLBIN) tmux $(DESTDIR)$(PREFIX)/bin/tmux
 -		$(INSTALLDIR) $(DESTDIR)$(PREFIX)/man/man1
 -		$(INSTALLMAN) tmux.1 $(DESTDIR)$(PREFIX)/man/man1/tmux.1
-+		$(INSTALLDIR) $(DESTDIR)$(PREFIX)/share/man/man1
++		$(INSTALLDIR) $(DESTDIR)$(PREFIX)share/man/man1
-+		$(INSTALLMAN) tmux.1 $(DESTDIR)$(PREFIX)/share/man/man1/tmux.1
++		$(INSTALLMAN) tmux.1 $(DESTDIR)$(PREFIX)share/man/man1/tmux.1
  
  -include .depend
---- Makefile.orig	2010-07-19 06:53:30.745213504 +0200
+--- a/Makefile
-+++ Makefile	2010-07-19 06:54:13.637338721 +0200
++++ b/Makefile
 @@ -24,7 +24,7 @@
  
  CC?= cc
@@ -44,7 +45,7 @@
  .endif
  
 -PREFIX?= /usr/local
-+PREFIX?= /usr
++PREFIX?= /usr/
  INSTALL?= install
  INSTALLDIR= ${INSTALL} -d
  INSTALLBIN= ${INSTALL} -m 555

tmux-1.0-03_proper_socket_handling.diff

@@ -1,7 +1,16 @@
---- GNUmakefile.orig	2010-07-19 07:05:09.757213641 +0200
+# setting /usr/bin/tmux with sgid and proper location of socket
-+++ GNUmakefile	2010-07-19 07:05:46.795213926 +0200
+---
+# GNUmakefile |    2 +-
+# Makefile    |    2 +-
+# compat.h    |    2 +-
+# tmux.1      |    6 +++---
+# tmux.c      |    2 +-
+# 5 files changed, 7 insertions(+), 7 deletions(-)
+#
+--- a/GNUmakefile
++++ b/GNUmakefile
 @@ -54,7 +54,7 @@
- PREFIX?= /usr
+ PREFIX?= /usr/
  INSTALL?= install
  INSTALLDIR= $(INSTALL) -d
 -INSTALLBIN= $(INSTALL) -m 555
@@ -9,14 +18,58 @@
  INSTALLMAN= $(INSTALL) -m 444
  
  SRCS= $(shell echo *.c|LC_ALL=C sed 's|osdep-[a-z0-9]*.c||g')
---- Makefile.orig	2010-07-19 07:05:13.812244029 +0200
+--- a/Makefile
-+++ Makefile	2010-07-19 07:06:01.826338894 +0200
++++ b/Makefile
 @@ -50,7 +50,7 @@
- PREFIX?= /usr
+ PREFIX?= /usr/
  INSTALL?= install
  INSTALLDIR= ${INSTALL} -d
 -INSTALLBIN= ${INSTALL} -m 555
-+INSTALLBIN= ${INSTALL} -g tmux -o root -m 2755
++INSTALLBIN= $(INSTALL) -g tmux -o root -m 2755
  INSTALLMAN= ${INSTALL} -m 444
  
  SRCS!= echo *.c|LC_ALL=C sed 's|osdep-[a-z0-9]*.c||g'
+--- a/compat.h
++++ b/compat.h
+@@ -25,7 +25,7 @@
+ 
+ #ifndef HAVE_PATHS_H
+ #define	_PATH_BSHELL	"/bin/sh"
+-#define	_PATH_TMP	"/tmp/"
++#define _PATH_VARRUN    "/var/run/"
+ #define _PATH_DEVNULL	"/dev/null"
+ #define _PATH_TTY	"/dev/tty"
+ #define _PATH_DEV	"/dev/"
+--- a/tmux.c
++++ b/tmux.c
+@@ -188,7 +188,7 @@
+ 	u_int		uid;
+ 
+ 	uid = getuid();
+-	xsnprintf(base, MAXPATHLEN, "%s/tmux-%d", _PATH_TMP, uid);
++	xsnprintf(base, MAXPATHLEN, "%s/%s/%s-%d", _PATH_VARRUN, __progname, __progname, uid);
+ 
+ 	if (mkdir(base, S_IRWXU) != 0 && errno != EEXIST)
+ 		return (NULL);
+--- a/tmux.1
++++ b/tmux.1
+@@ -89,8 +89,8 @@
+ and all sessions are managed by a single
+ .Em server .
+ The server and each client are separate processes which communicate through a
+-socket in
+-.Pa /tmp .
++socket in a directory under
++.Pa /var/run/tmux .
+ .Pp
+ The options are as follows:
+ .Bl -tag -width "XXXXXXXXXXXX"
+@@ -134,7 +134,7 @@
+ .It Fl L Ar socket-name
+ .Nm
+ stores the server socket in a directory under
+-.Pa /tmp ;
++.Pa /var/run/tmux ;
+ the default socket is named
+ .Em default .
+ This option allows a different socket name to be specified, allowing several

tmux-1.0-04_dropping_unnecessary_privileges.diff

@@ -1,24 +1,26 @@
---- tmux.c.orig	2010-07-19 07:07:06.311243142 +0200
+# using setresgid() for safely dropping utmp group membership which were needed
-+++ tmux.c	2010-07-19 07:08:54.969213735 +0200
+# for makesocketpath() to create the user directory under /var/run/tmux which is
-@@ -185,9 +185,10 @@
+# only writeable for processes that have setgid utmp.
- {
+--- a/tmux.c
- 	char		base[MAXPATHLEN], *path;
++++ b/tmux.c
- 	struct stat	sb;
+@@ -235,6 +235,7 @@
--	u_int		uid;
+ 	struct keylist	*keylist;
-+	u_int		uid,gid;
+ 	char		*s, *path, *label, *home, **var;
+ 	int	 	 opt, flags, quiet, keys;
++	u_int		gid;
  
- 	uid = getuid();
+ #if defined(DEBUG) && defined(__OpenBSD__)
-+    gid = getgid();
+ 	malloc_options = (char *) "AFGJPX";
- 	xsnprintf(base, MAXPATHLEN, "%s/tmux-%d", _PATH_TMP, uid);
+@@ -483,6 +484,12 @@
- 
- 	if (mkdir(base, S_IRWXU) != 0 && errno != EEXIST)
-@@ -203,6 +204,9 @@
- 		errno = EACCES;
- 		return (NULL);
  			}
-+    /* drop unnecessary privileges */
+ 		}
+ 	}
++	gid = getgid();
++	/* drop unnecessary privileges which were needed for makesocketpath() 
++	 * to create the user directory under /var/run/tmux which is only 
++	 * writeable for processes that have setgid utmp. */
 + 	if (setresgid(gid, gid, gid) != 0)
 + 		return (NULL);
- 
+ 	if (label != NULL)
- 	xasprintf(&path, "%s/%s", base, label);
+ 		xfree(label);
- 	return (path);
+ 	if (realpath(path, socket_path) == NULL)

tmux.spec

@@ -1,6 +1,6 @@
 Name:           tmux
 Version:        1.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A terminal multiplexer
 
 Group:          Applications/System
@@ -33,9 +33,9 @@ as GNU Screen.
 
 %prep
 %setup -q
-%patch0 -p0 -b .location
+%patch0 -p1 -b .location
-%patch1 -p0 -b .sockethandling
+%patch1 -p1 -b .sockethandling
-%patch2 -p0 -b .dropprivs
+%patch2 -p1 -b .dropprivs
 %patch3 -p1 -b .writehard
 
 %build
@@ -63,6 +63,10 @@ getent group tmux >/dev/null || groupadd -r tmux
 %attr(775,root,tmux) %{_localstatedir}/run/tmux
 
 %changelog
+* Sun Apr 10 2011 Sven Lankes <sven@lank.es> 1.4-3
+- Fix CVE-2011-1496
+- Fixes rhbz #693824
+
 * Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild