Package: mailman / 1:2.1.18-2+deb8u2

10_wrapper_uid.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Author: Tollef Fog Heen <tfheen@debian.org>
Description: Makes sure we're called with the right UID and GID (Closes: #36010, #89564, #89848, 89818)
Bug-Debian: #36010, #89564, #89848, 89818
Forwarded: no

Index: b/src/cgi-wrapper.c
===================================================================
--- a/src/cgi-wrapper.c	2012-05-20 14:21:35.746868411 +0200
+++ b/src/cgi-wrapper.c	2012-05-20 14:21:39.958889298 +0200
@@ -42,7 +42,8 @@
         char* fake_argv[3];
 
         running_as_cgi = 1;
-        check_caller(logident, parentgroup);
+        if (getgid() >= 100 && getgid() != 65534)
+                check_caller(logident, parentgroup);
 
         /* For these CGI programs, we can ignore argc and argv since they
          * don't contain anything useful.  `script' will always be the driver
Index: b/src/mail-wrapper.c
===================================================================
--- a/src/mail-wrapper.c	2012-05-20 14:21:35.746868411 +0200
+++ b/src/mail-wrapper.c	2012-05-20 14:21:39.958889298 +0200
@@ -74,7 +74,8 @@
                 fatal(logident, MAIL_ILLEGAL_COMMAND,
                       "Illegal command: %s", argv[1]);
 
-        check_caller(logident, parentgroup);
+        if (getgid() >= 100 && getgid() != 65534)
+                check_caller(logident, parentgroup);
 
         /* If we got here, everything must be OK */
         status = run_script(argv[1], argc, argv, env);