qmail: short/int vs. gid_t

[Qualys Security Advisory <qsa () qualys com>]

Hi all,

While discussing the qmail vulnerabilities on distros@openwall, we also
discussed the following issue (which exists in qmail and in related
software such as checkpassword):

On Thu, May 07, 2020 at 05:39:18PM +0200, Solar Designer wrote:
> BTW, how about this piece in qmail 1.03? -
>
> /* XXX: there are more portability problems here waiting to leap out at me */
>
> int prot_gid(gid) int gid;
> {
> #ifdef HASSHORTSETGROUPS
>   short x[2];
>   x[0] = gid; x[1] = 73; /* catch errors */
>   if (setgroups(1,x) == -1) return -1;
> #else
>   if (setgroups(1,&gid) == -1) return -1;
> #endif
>   return setgid(gid); /* _should_ be redundant, but on some systems it isn't */
> }
>
> As you can see, this tries to workaround ancient systems where the size
> of groups array elements might not be reliably known.  However, notice
> that none of the compile-time options uses gid_t.  If the size of gid_t
> doesn't match either "short" or "int" (whichever is chosen at compile
> time above), this might set a wrong supplementary group, especially on
> big-endian architectures.
>
> The workaround with setting two groups array elements is rather common -
> I used that one myself - but it's only safe on modern systems when used
> along with gid_t (so the extra element is guaranteed to be ignored when
> the workaround is unneeded).
>
> You might want to check how this function changed(?) in currently
> maintained qmail forks, and suggest they use gid_t if not already.
>
> I guess original qmail didn't use gid_t so that it'd build on systems
> that don't define this type.  Supporting those systems should be
> unneeded now.

The developers of notqmail have been working on a fix for this issue:

    https://github.com/notqmail/notqmail/pull/72

Thank you very much!

With best regards,

--
the Qualys Security Advisory team


[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>



This message may contain confidential and privileged information. If it has been sent to you in error, please reply to 
advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, 
copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that 
all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service 
providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate 
unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.