Date: Wed, 23 Dec 2009 12:17:13 -0800 From: Brandon Philips <brandon@...p.org> To: Hanno Böck <hanno@...eck.de> Cc: OSS Security List <oss-security@...ts.openwall.com> Subject: Re: CVE request: acl 2.2.47 always follows symlinks On 11:50 Wed 23 Dec 2009, Hanno Böck wrote: > setfacl/getfacl (part of package acl-2.2.47) contains a bug that it ignores > the --physical/-P parameter that means don't follow symlinks on -R > (recursive). > > This can lead to security problems, e.g. if there's a cron script giving a > user full rwX rights for a directory, he can put a symlink there pointing to / > or /etc or whatever. > Another scenario would be a backup script saving the /home acls to a file, > every user can create an endless loop for that and prevent the script from > completing. > > http://oss.sgi.com/bugzilla/show_bug.cgi?id=790 > http://bugs.gentoo.org/show_bug.cgi?id=265425 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076 > > Fixed in upstream source, but no new release yet. Upstream for acl and attr has moved from SGI to community hosting at savannah.gnu.org. The latest release is here: http://download.savannah.gnu.org/releases-noredirect/acl/acl-2.2.49.src.tar.gz Mailing lists, git repos, and a bug system can be found here: http://savannah.nongnu.org/projects/acl http://savannah.nongnu.org/projects/attr Thanks, Brandon
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ