I'd like to request CVE ids for the following issues in lighttpd: 1. setuid/setgid/setgroups return values are not checked If setuid() fails for any reason (RLIMIT_NPROC) lighttpd runs as root. http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt 2. If FAMMonitorDirectory fails, lighttpd reads a value from already free()d memory. http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt Both issues were found with clang static analyzer, so I assume the bad guys already know these. regards, Stefan commit d22f4164a9e26c252e1874a29ba658eec85a3ddc Author: Stefan Bhler <stbuehler@web.de> Date: Sun Nov 10 19:00:08 2013 +0100 [core] check success of setuid,setgid,setgroups diff --git a/src/server.c b/src/server.c index 2d825bb..e2b42eb 100644 --- a/src/server.c +++ b/src/server.c @@ -820,8 +820,14 @@ int main (int argc, char **argv) { * to /etc/group * */ if (NULL != grp) { - setgid(grp->gr_gid); - setgroups(0, NULL); + if (-1 == setgid(grp->gr_gid)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno)); + return -1; + } + if (-1 == setgroups(0, NULL)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno)); + return -1; + } if (srv->srvconf.username->used) { initgroups(srv->srvconf.username->ptr, grp->gr_gid); } @@ -844,7 +850,10 @@ int main (int argc, char **argv) { #ifdef HAVE_PWD_H /* drop root privs */ if (NULL != pwd) { - setuid(pwd->pw_uid); + if (-1 == setuid(pwd->pw_uid)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno)); + return -1; + } } #endif #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)