From: Jarkko Hietaniemi <jhi@iki.fi>
Date: Mon, 7 Aug 2000 15:05:29 +0000 (+0000)
Subject: Plug the security hole described in the Aug 05 2000 bugtraq message
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=9feff13c269d28cf1435d1f62481a5d18a330707;p=p5sagit%2Fp5-mst-13.2.git

Plug the security hole described in the Aug 05 2000 bugtraq message
"sperl 5.00503 (and newer ;) exploit" by Michal Zalewski.
The security hole exists only in suidperls, which isn't
installed or even built by default.

p4raw-id: //depot/perl@6536
---

diff --git a/perl.c b/perl.c
index 969d783..ed8befa 100644
--- a/perl.c
+++ b/perl.c
@@ -2851,6 +2851,7 @@ S_validate_suid(pTHX_ char *validarg, char *scriptname, int fdscript)
 	    if (tmpstatbuf.st_dev != PL_statbuf.st_dev ||
 		tmpstatbuf.st_ino != PL_statbuf.st_ino) {
 		(void)PerlIO_close(PL_rsfp);
+#ifdef MAIL_CAN_BE_USED_SAFELY /* No, it can't.  As of Aug 05 200, there's bugtraq exploit.  */
 		if (PL_rsfp = PerlProc_popen("/bin/mail root","w")) {	/* heh, heh */
 		    PerlIO_printf(PL_rsfp,
 "User %"Uid_t_f" tried to run dev %ld ino %ld in place of dev %ld ino %ld!\n\
@@ -2861,6 +2862,7 @@ S_validate_suid(pTHX_ char *validarg, char *scriptname, int fdscript)
 			PL_statbuf.st_uid, PL_statbuf.st_gid);
 		    (void)PerlProc_pclose(PL_rsfp);
 		}
+#endif
 		Perl_croak(aTHX_ "Permission denied\n");
 	    }
 	    if (