From a2959aa768261dee3a280f5330a57a15f86c07d5 Mon Sep 17 00:00:00 2001
From: Jon Trulson <jon@radscan.com>
Date: Sat, 26 May 2012 18:57:11 -0600
Subject: [PATCH] dtspcd: fix symlink vulnerability, a couple warnings

---
 cde/programs/dtspcd/main.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/cde/programs/dtspcd/main.c b/cde/programs/dtspcd/main.c
index 7b49d2b6..729a5198 100644
--- a/cde/programs/dtspcd/main.c
+++ b/cde/programs/dtspcd/main.c
@@ -151,7 +151,7 @@ XeChar HomeDir[MAXPATHLEN + 6];
 XeChar ShellDir[MAXPATHLEN + 7];
 XeString *default_environment;
 
-int client_validated=NULL;
+int client_validated=0;
 int SPCD_Abort_Okay = FALSE;
 
 SPC_Connection_Ptr client_connection;
@@ -185,7 +185,7 @@ static int exit_timeout = SPCD_DEFAULT_TIMEOUT;
 static int request_pending = SPCD_NO_REQUEST_PENDING;
 
 /*----------------------------------------------------------------------+*/
-int main(unsigned int argc, XeString *argv)
+int main(int argc, XeString *argv)
 /*----------------------------------------------------------------------+*/
 {
   /* Parse the command line and set globals accordingly. */
@@ -647,9 +647,12 @@ int Client_Register(protocol_request_ptr prot)
   /* file in the temp directory?		        */
 
   if(lstat(tmpfile, &buf)==ERROR) {
+    int terrno = errno;
     SPC_Write_Protocol_Request(client_connection, NULL, LOGFILE_REPLY,
 			       FAILED_FILE_NAME, NULL, NULL);
-    SPC_Format_Log("+++> FAILURE: stat authentication file '%s'.", tmpfile);
+    SPC_Format_Log("+++> FAILURE: lstat authentication file '%s'.", tmpfile);
+    SPC_Format_Log("+++> FAILURE: lstat() returned error '%s'\n", 
+                   strerror(terrno));
     if (free_netfile)
       tt_free(netfile);
     XeFree(tmpfile);
@@ -657,6 +660,18 @@ int Client_Register(protocol_request_ptr prot)
     return(SPC_ERROR);
   }
 
+  if (S_ISLNK(buf.st_mode))
+    {				/* somebody is jerkin us around */
+      SPC_Write_Protocol_Request(client_connection, NULL, LOGFILE_REPLY,
+                                 FAILED_FILE_NAME, NULL, NULL);
+      SPC_Format_Log("+++> FAILURE: lstat authentication file '%s' is a symlink! Possible compromise attempt.", tmpfile);
+      if (free_netfile)
+        tt_free(netfile);
+      XeFree(tmpfile);
+      SPC_Error(SPC_Bad_Authentication);
+      return(SPC_ERROR);
+    }
+
   /*
    * If the file does not have the setuid bit set then return failure.
    *
-- 
2.25.1