Submitted By: Ken Moffat Date: 2009-04-26 Initial Package Version: 085-114 or later Upstream Status: From upstream, commit e86a923d508c2aed371cdd958ce82489cf2ab615 backported by SUSE Origin: Scott James Remnant Description: This fixes CVE-2009-1185 (netlink messages can be received from local users, allowing privilege escalation). From the heading, I assume this will apply to at least 085 to 114. Note that CVE-2009-1186 appears not to be relevant to these old versions of udev - the code is not present. Index: udev-085/udevd.c ================================================================================ --- udev-114/udevd.c +++ udev-114/udevd.c @@ -722,16 +722,31 @@ struct udevd_uevent_msg *msg; int bufpos; ssize_t size; + struct sockaddr_nl snl; + struct msghdr smsg; + struct iovec iov; static char buffer[UEVENT_BUFFER_SIZE+512]; char *pos; - size = recv(uevent_netlink_sock, &buffer, sizeof(buffer), 0); + iov.iov_base = buffer; + iov.iov_len = sizeof(buffer); + smsg.msg_name = &snl; + smsg.msg_namelen = sizeof(struct sockaddr_nl); + smsg.msg_iov = &iov; + smsg.msg_iovlen = 1; + size = recvmsg(uevent_netlink_sock, &smsg, 0); if (size < 0) { if (errno != EINTR) err("unable to receive kernel netlink message: %s", strerror(errno)); return NULL; } + if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) { + info("ignored netlink message from invalid group/sender %d/%d\n", + snl.nl_groups, snl.nl_pid); + return NULL; + } + if ((size_t)size > sizeof(buffer)-1) size = sizeof(buffer)-1; buffer[size] = '\0';