Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Mar 2011 12:39:06 +0000
From: Helgi Þormar Þorbjörnsson <>
To: Dan Rosenberg <>
Cc: Pierre Joye <>,
Subject: Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

On 1 Mar 2011, at 12:19, Dan Rosenberg wrote:

>> Not sure it is fixable, or maybe using a lock on the symbolic link
>> while fetching its target (to be tested to be sure that such locks
>> cannot be overridden from shell).
> The easiest way is to just open the target with the O_NOFOLLOW flag to
> avoid following symlinks and abort on failure.  If you need to support
> systems that don't have this flag, then perhaps you could consider
> using an application-specific temporary directory instead of operating
> in the world-writable /tmp.

The PEAR installer does use /tmp (and whatever the Windows equivalent is) by default unless the user opts into a local installation or does indeed change the configuration to use other temp/download/cache directories so users can guard themselves with a good setup.

A flag like that would be handy but doesn't exist (yet) in PHP. 

I moved over to using the O_CREAT|O_EXCL equivalent in PHP when creating new files and lstat + fopen + fstat and comparing mode/ino/dev before writing to an existing file for the cache. I could add an nlink check to that as well.
The current version I've been playing around with is located at - It is missing the nlink part but it should be able to deal with TOCTOU problems. That code snippet hasn't been committed as I consider it work-in-progress still.

Any comments / suggestions are welcome, I did write that one quite late last night :-)

- Helgi

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.