new file mode 100644

@@ -0,0 +1,189 @@

+diff -Naur a/keepalived/core/pidfile.c b/keepalived/core/pidfile.c

+--- a/keepalived/core/pidfile.c	2019-02-15 01:01:32.886542487 +0530

+@@ -54,7 +54,7 @@

+ pidfile_write(const char *pid_file, int pid)

+ {

+ 	FILE *pidfile = NULL;

+-	int pidfd = creat(pid_file, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);

++        int pidfd = open(pid_file, O_NOFOLLOW | O_CREAT | O_WRONLY | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);

+ 	if (pidfd != -1) pidfile = fdopen(pidfd, "w");

+ 

+ 	if (!pidfile) {

+diff -Naur a/keepalived/vrrp/vrrp_dbus.c b/keepalived/vrrp/vrrp_dbus.c

+--- a/keepalived/vrrp/vrrp_dbus.c	2019-02-15 01:01:32.886542487 +0530

+@@ -551,7 +551,7 @@

+ 	size_t length;

+ 	gchar *ret = NULL;

+ 

+-	f = fopen(filepath, "rb");

++	f = fopen(filepath, "r");

+ 	if (f) {

+ 		fseek(f, 0, SEEK_END);

+ 		length = (size_t)ftell(f);

+diff -Naur a/keepalived/vrrp/vrrp_print.c b/keepalived/vrrp/vrrp_print.c

+--- a/keepalived/vrrp/vrrp_print.c	2019-02-15 01:01:32.886542487 +0530

+@@ -34,6 +34,7 @@

+ #include "keepalived_netlink.h"

+ #include "rttables.h"

+ #include "logger.h"

++#include "utils.h"

+ 

+ #include <time.h>

+ #include <errno.h>

+@@ -350,7 +351,7 @@

+ vrrp_print_data(void)

+ {

+ 	FILE *file;

+-	file = fopen ("/tmp/keepalived.data","w");

++	file = fopen_safe("/tmp/keepalived.data","w");

+ 

+ 	if (!file) {

+ 		log_message(LOG_INFO, "Can't open /tmp/keepalived.data (%d: %s)",

+@@ -374,7 +375,9 @@

+ vrrp_print_stats(void)

+ {

+ 	FILE *file;

+-	file = fopen ("/tmp/keepalived.stats","w");

++	file = fopen_safe("/tmp/keepalived.stats","w");

++	element e;

++	vrrp_t *vrrp;

+ 

+ 	if (!file) {

+ 		log_message(LOG_INFO, "Can't open /tmp/keepalived.stats (%d: %s)",

+@@ -382,19 +385,13 @@

+ 		return;

+ 	}

+ 

+-	list l = vrrp_data->vrrp;

+-	element e;

+-	vrrp_t *vrrp;

+-

+-	for (e = LIST_HEAD(l); e; ELEMENT_NEXT(e)) {

+-		vrrp = ELEMENT_DATA(e);

++	LIST_FOREACH(vrrp_data->vrrp, vrrp, e) {

+ 		fprintf(file, "VRRP Instance: %s\n", vrrp->iname);

+ 		fprintf(file, "  Advertisements:\n");

+ 		fprintf(file, "    Received: %" PRIu64 "\n", vrrp->stats->advert_rcvd);

+ 		fprintf(file, "    Sent: %d\n", vrrp->stats->advert_sent);

+ 		fprintf(file, "  Became master: %d\n", vrrp->stats->become_master);

+-		fprintf(file, "  Released master: %d\n",

+-			vrrp->stats->release_master);

++                fprintf(file, "  Released master: %d\n", vrrp->stats->release_master);

+ 		fprintf(file, "  Packet Errors:\n");

+ 		fprintf(file, "    Length: %" PRIu64 "\n", vrrp->stats->packet_len_err);

+ 		fprintf(file, "    TTL: %" PRIu64 "\n", vrrp->stats->ip_ttl_err);

+diff -Naur a/lib/list.h b/lib/list.h

+--- a/lib/list.h	2019-02-15 01:01:55.538543574 +0530

+@@ -51,6 +51,7 @@

+ #define LIST_ISEMPTY(L)		((L) == NULL || ((L)->head == NULL && (L)->tail == NULL))

+ #define LIST_EXISTS(L)		((L) != NULL)

+ #define LIST_SIZE(V)		((V)->count)

++#define LIST_FOREACH(L,V,E)     for ((E) = ((L) ? LIST_HEAD(L) : NULL); (E) && ((V) = ELEMENT_DATA(E), 1); ELEMENT_NEXT(E))

+ 

+ /* Prototypes */

+ extern list alloc_list(void (*free_func) (void *), void (*dump_func) (void *));

+diff -Naur a/lib/memory.c b/lib/memory.c

+--- a/lib/memory.c	2019-02-15 01:01:55.538543574 +0530

+@@ -441,7 +441,7 @@

+ 	}

+ 

+ 	snprintf(log_name, log_name_len, "/tmp/%s_mem.%d.log", prog_name, getpid());

+-	log_op = fopen(log_name, "a");

++	log_op = fopen_safe(log_name, "a");

+ 	if (log_op == NULL) {

+ 		log_message(LOG_INFO, "Unable to open %s for appending", log_name);

+ 		log_op = stderr;

+diff -Naur a/lib/parser.c b/lib/parser.c

+--- a/lib/parser.c	2019-02-15 01:01:55.538543574 +0530

+@@ -153,12 +153,12 @@

+ {

+ 	unsigned int i;

+ 	keyword_t *keyword_vec;

+-	char file_name[21];

++	char file_name[22];

+ 

+ 	if (!level) {

+ 		sprintf(file_name, "/tmp/keywords.%d", getpid());

+ 		snprintf(file_name, sizeof(file_name), "/tmp/keywords.%d", getpid());

+-		fp = fopen(file_name, "w");

++		fp = fopen_safe(file_name, "w");

+ 		if (!fp)

+ 			return;

+ 	}

+diff -Naur a/lib/utils.c b/lib/utils.c

+--- a/lib/utils.c	2019-02-15 01:01:55.538543574 +0530

+@@ -89,7 +89,7 @@

+ void

+ write_stacktrace(const char *file_name)

+ {

+-	int fd = open(file_name, O_WRONLY | O_APPEND | O_CREAT, 0644);

++        int fd = open(file_name, O_WRONLY | O_APPEND | O_CREAT | O_NOFOLLOW, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);

+ 	void *buffer[100];

+ 	int nptrs;

+ 

+@@ -518,6 +518,47 @@

+ 	return (*str1 == 0 && *str2 == 0);

+ }

+ 

++/* We need to use O_NOFOLLOW if opening a file for write, so that a non privileged user can't

++ * create a symbolic link from the path to a system file and cause a system file to be overwritten. */

++FILE *fopen_safe(const char *path, const char *mode)

++{

++    int fd;

++    FILE *file;

++    int flags = O_NOFOLLOW | O_CREAT;

++

++    if (mode[0] == 'r')

++        return fopen(path, mode);

++

++    if (mode[0] != 'a' && mode[0] != 'w')

++        return NULL;

++

++    if (mode[1] &&

++        (mode[1] != '+' || mode[2]))

++        return NULL;

++

++    if (mode[0] == 'w')

++        flags |= O_TRUNC;

++    else

++        flags |= O_APPEND;

++

++    if (mode[1])

++        flags |= O_RDWR;

++    else

++        flags |= O_WRONLY;

++

++    fd = open(path, flags, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);

++    if (fd == -1)

++        return NULL;

++

++    file = fdopen (fd, "w");

++    if (!file) {

++        close(fd);

++        return NULL;

++    }

++

++    return file;

++}

++

+ void

+ set_std_fd(int force)

+ {

+diff -Naur a/lib/utils.h b/lib/utils.h

+--- a/lib/utils.h	2019-02-15 01:01:55.538543574 +0530

+@@ -70,6 +70,7 @@

+ extern int inet_sockaddrcmp(struct sockaddr_storage *, struct sockaddr_storage *);

+ extern char *get_local_name(void);

+ extern int string_equal(const char *, const char *);

++extern FILE *fopen_safe(const char *, const char *);

+ extern void set_std_fd(int);

+ #if !defined _HAVE_LIBIPTC_ || defined _LIBIPTC_DYNAMIC_

+ extern int fork_exec(char **argv);

@@ -1,7 +1,7 @@

 Summary:    HA monitor built upon LVS, VRRP and services poller 

 Name:       keepalived

 Version:    1.3.5

-Release:    1%{?dist}

+Release:    2%{?dist}

 License:    GPL

 URL:        http://www.keepalived.org/

 Group:      Applications/System

@@ -10,6 +10,7 @@ Distribution: Photon

 Source0:     http://www.keepalived.org/software/%{name}-%{version}.tar.gz

 %define sha1 keepalived=5a373d8f5d382700cf53b827947a92a7f4cef148

 Source1:     keepalived.service

+Patch0:         CVE-2018-19044.patch

 BuildRequires:    openssl-devel

 BuildRequires:    iptables

 BuildRequires:    libmnl-devel

@@ -34,6 +35,7 @@ healthchecks and LVS directors failover.

 %prep

 %setup -q

+%patch0 -p1

 %build

 ./configure \

@@ -85,5 +87,7 @@ fi

 %{_mandir}/man8/keepalived.8*

 %changelog

+*   Thu Feb 14 2019 <ashwinh@vmware.com> 1.3.5-2

+-   Fix CVE-2018-19044

 *   Thu Apr 06 2017 Dheeraj Shetty <dheerajs@vmware.com> 1.3.5-1

 -   Initial build.  First version