Fix a logfile permissions (security) bug.

Reported by:	Robert Blayzor <rblayzor@inoc.net>
Obtained from:	Peter Czanik <czanik@balabit.hu> (syslog-ng3 upline)
Security:	yes
Feature safe:	yes

6 files changed, 91 insertions, 1 deletions

diff --git a/sysutils/syslog-ng3/Makefile b/sysutils/syslog-ng3/Makefile
index 87cba0b3df2a..62cabb23ddeb 100644
--- a/sysutils/syslog-ng3/Makefile
+++ b/sysutils/syslog-ng3/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	syslog-ng
 PORTVERSION=	3.2.1
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	http://www.balabit.com/downloads/files/syslog-ng/sources/$(PORTVERSION)/source/
 PKGNAMESUFFIX=	3
diff --git a/sysutils/syslog-ng3/files/patch-lib-misc.c b/sysutils/syslog-ng3/files/patch-lib-misc.c
new file mode 100644
index 000000000000..6a8e536e3193
--- /dev/null
+++ b/sysutils/syslog-ng3/files/patch-lib-misc.c
@@ -0,0 +1,13 @@
+diff --git a/lib/misc.c b/lib/misc.c
+index 91361e0..4aac9e3 100644
+--- lib/misc.c
++++ lib/misc.c
+@@ -411,7 +411,7 @@ create_containing_directory(gchar *name, gint dir_uid, gint dir_gid, gint dir_mo
+         }
+       else if (errno == ENOENT) 
+         {
+-          if (mkdir(name, (mode_t) dir_mode) == -1)
++          if (mkdir(name, dir_mode < 0 ? 0700 : (mode_t) dir_mode) == -1)
+             return FALSE;
+           saved_caps = g_process_cap_save();
+           g_process_cap_modify(CAP_CHOWN, TRUE);
diff --git a/sysutils/syslog-ng3/files/patch-modules-affile-affile.c b/sysutils/syslog-ng3/files/patch-modules-affile-affile.c
new file mode 100644
index 000000000000..c0b4d6c02610
--- /dev/null
+++ b/sysutils/syslog-ng3/files/patch-modules-affile-affile.c
@@ -0,0 +1,34 @@
+diff --git a/modules/affile/affile.c b/modules/affile/affile.c
+index 7746897..e145324 100644
+--- modules/affile/affile.c
++++ modules/affile/affile.c
+@@ -607,7 +607,7 @@ affile_dd_set_file_gid(LogDriver *s, const gchar *file_gid)
+ }
+ 
+ void 
+-affile_dd_set_file_perm(LogDriver *s, mode_t file_perm)
++affile_dd_set_file_perm(LogDriver *s, gint file_perm)
+ {
+   AFFileDestDriver *self = (AFFileDestDriver *) s;
+   
+@@ -643,7 +643,7 @@ affile_dd_set_dir_gid(LogDriver *s, const gchar *dir_gid)
+ }
+ 
+ void 
+-affile_dd_set_dir_perm(LogDriver *s, mode_t dir_perm)
++affile_dd_set_dir_perm(LogDriver *s, gint dir_perm)
+ {
+   AFFileDestDriver *self = (AFFileDestDriver *) s;
+   
+@@ -957,9 +957,9 @@ affile_dd_new(gchar *filename, guint32 flags)
+   self->filename_template = log_template_new(configuration, NULL, filename);
+   self->flags = flags;
+   self->file_uid = self->file_gid = -1;
+-  self->file_perm = (mode_t) -1;
++  self->file_perm = -1;
+   self->dir_uid = self->dir_gid = -1;
+-  self->dir_perm = (mode_t) -1;
++  self->dir_perm = -1;
+   log_writer_options_defaults(&self->writer_options);
+   if (strchr(filename, '$') == NULL)
+     {
diff --git a/sysutils/syslog-ng3/files/patch-modules-affile-affile.h b/sysutils/syslog-ng3/files/patch-modules-affile-affile.h
new file mode 100644
index 000000000000..150a31f08e95
--- /dev/null
+++ b/sysutils/syslog-ng3/files/patch-modules-affile-affile.h
@@ -0,0 +1,17 @@
+diff --git a/modules/affile/affile.h b/modules/affile/affile.h
+index 1c1ff1e..9ec1493 100644
+--- modules/affile/affile.h
++++ modules/affile/affile.h
+@@ -83,10 +83,10 @@ void affile_dd_set_compress(LogDriver *s, gboolean compress);
+ void affile_dd_set_encrypt(LogDriver *s, gboolean enable);
+ void affile_dd_set_file_uid(LogDriver *s, const gchar *file_uid);
+ void affile_dd_set_file_gid(LogDriver *s, const gchar *file_gid);
+-void affile_dd_set_file_perm(LogDriver *s, mode_t file_perm);
++void affile_dd_set_file_perm(LogDriver *s, gint file_perm);
+ void affile_dd_set_dir_uid(LogDriver *s, const gchar *dir_uid);
+ void affile_dd_set_dir_gid(LogDriver *s, const gchar *dir_gid);
+-void affile_dd_set_dir_perm(LogDriver *s, mode_t dir_perm);
++void affile_dd_set_dir_perm(LogDriver *s, gint dir_perm);
+ void affile_dd_set_create_dirs(LogDriver *s, gboolean create_dirs);
+ void affile_dd_set_fsync(LogDriver *s, gboolean enable);
+ void affile_dd_set_overwrite_if_older(LogDriver *s, gint overwrite_if_older);
diff --git a/sysutils/syslog-ng3/files/patch-modules-afsocket-afunix.c b/sysutils/syslog-ng3/files/patch-modules-afsocket-afunix.c
new file mode 100644
index 000000000000..2dc52df82b4f
--- /dev/null
+++ b/sysutils/syslog-ng3/files/patch-modules-afsocket-afunix.c
@@ -0,0 +1,13 @@
+diff --git a/modules/afsocket/afunix.c b/modules/afsocket/afunix.c
+index bf54441..b486b6b 100644
+--- modules/afsocket/afunix.c
++++ modules/afsocket/afunix.c
+@@ -55,7 +55,7 @@ afunix_sd_set_gid(LogDriver *s, gchar *group)
+ }
+ 
+ void
+-afunix_sd_set_perm(LogDriver *s, mode_t perm)
++afunix_sd_set_perm(LogDriver *s, gint perm)
+ {
+   AFUnixSourceDriver *self = (AFUnixSourceDriver *) s;
+ 
diff --git a/sysutils/syslog-ng3/files/patch-modules-afsocket-afunix.h b/sysutils/syslog-ng3/files/patch-modules-afsocket-afunix.h
new file mode 100644
index 000000000000..ec059b54e4fc
--- /dev/null
+++ b/sysutils/syslog-ng3/files/patch-modules-afsocket-afunix.h
@@ -0,0 +1,13 @@
+diff --git a/modules/afsocket/afunix.h b/modules/afsocket/afunix.h
+index ddb63bc..fba3e02 100644
+--- modules/afsocket/afunix.h
++++ modules/afsocket/afunix.h
+@@ -40,7 +40,7 @@ typedef struct _AFUnixSourceDriver
+ 
+ void afunix_sd_set_uid(LogDriver *self, gchar *owner);
+ void afunix_sd_set_gid(LogDriver *self, gchar *group);
+-void afunix_sd_set_perm(LogDriver *self, mode_t perm);
++void afunix_sd_set_perm(LogDriver *self, gint perm);
+ 
+ LogDriver *afunix_sd_new(gchar *filename, guint32 flags);
+