Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Oct 2010 15:05:12 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Small exposure in ocfs2 fast symlinks.

----- "Joel Becker" <Joel.Becker@...cle.com> wrote:

> Hey Everyone,
> 	We just discovered that ocfs2 could walk off the end of fast symlinks
> 	-- that is, symlinks that are stored directly in the inode block.
> 	ocfs2 terminates these with NUL characters, but a disk corruption or an
> 	attacker with direct access to the ocfs2 disk could overwrite the NUL.
> 	Following the symlink via the filesystem would walk off the end of the
> 	in-memory block buffer.  We're not sure how exploitable this is, but I
> 	figured I'd provide a heads-up.  The fix is in ocfs2's git tree and
> 	will be sent upstream tonight.  Erratas with the fix are being built.
> 	If someone thinks we should have a CVE, please provide me with the
> 	number.  Otherwise, just FYI.
> 

Unless someone asks for an ID, I don't plan to give this one. I dare say if
an attacker can modify the disk directly, you probably have far bigger
worries here than following symlinks.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.