Bug#566351: libgcrypt11: should not change user id as a side effect

Andreas Metzler ametzler at downhill.at.eu.org
Sat Nov 3 18:29:22 CET 2012 

On 2010-01-23 Andreas Metzler <ametzler at downhill.at.eu.org> wrote:
> On 2010-01-23 Ansgar Burchardt <ansgar at 2008.43-1.org> wrote:
> > the function lock_pool from src/secmem.c has the side effect of changing
> > user ids if real uid != effective uid.  This causes strange behaviour in
> > other programs:

> > A program using libnss-ldap for querying group membership with SSL
> > enabled, but without nscd might suddenly change the user id when calling
> > getgroups (or initgroups).  An example for this is the atd daemon[1].

There is very long Ubuntu bug about the issue
<https://bugs.launchpad.net/debian/+source/sudo/+bug/423252>, this
comment sums it up:
<https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/comments/72>

Ubuntu is now shipping libgcrypt with this patch
--------------------------------
+--- a/src/global.c
++++ b/src/global.c
+@@ -445,8 +445,6 @@
+
+     case GCRYCTL_SET_THREAD_CBS:
+       err = ath_install (va_arg (arg_ptr, void *), any_init_done);
+-      if (! err)
+-      global_init ();
+       break;
+
+     case GCRYCTL_FAST_POLL:
--------------------------------

which might be replaced by the following one to fix
<https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798>.
------------------------------
--- libgcrypt11-1.5.0.orig/src/global.c
+++ libgcrypt11-1.5.0/src/global.c
@@ -370,11 +370,13 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
       break;
 
     case GCRYCTL_DISABLE_SECMEM_WARN:
+      global_init ();
       _gcry_secmem_set_flags ((_gcry_secmem_get_flags ()
                               | GCRY_SECMEM_FLAG_NO_WARNING));
       break;
 
     case GCRYCTL_SUSPEND_SECMEM_WARN:
+      global_init ();
       _gcry_secmem_set_flags ((_gcry_secmem_get_flags ()
                               | GCRY_SECMEM_FLAG_SUSPEND_WARNING));
       break;
@@ -445,8 +447,6 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
 
     case GCRYCTL_SET_THREAD_CBS:
       err = ath_install (va_arg (arg_ptr, void *), any_init_done);
-      if (! err)
-       global_init ();
       break;
 
     case GCRYCTL_FAST_POLL:
------------------------------

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gcrypt-devel mailing list