Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Oct 2011 15:03:57 +0200
From: Robert Święcki <robert@...ecki.net>
To: oss-security@...ts.openwall.com
Subject: Re: radvd 1.8.2 released with security fixes

On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala
<huzaifas@...hat.com> wrote:
> On 10/07/2011 04:22 AM, Solar Designer wrote:
>>
>> 2) An arbitrary file overwrite flaw was found in radvd's
>> set_interface_var() function, where it did not check the interface name
>> (generated by the unprivileged user) and blindly overwrites a filename
>> with a decimal value by the root process.  If a local attacker could
>> create symlinks pointing to arbitrary files on the system, they could
>> overwrite the target file contents.  If only radvd is compromised (e.g.
>> no local access), the attacker may only overwrite files with specific
>> names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602)
>
> I am looking at the patch for this particular issue and it seems wrong to
> me.
>
> Patch:
> https://github.com/reubenhwk/radvd/commit/92e22ca23e52066da2258df8c76a2dca8a428bcc
>
> Shouldnt this be:
>
>        /* No path traversal */
>        if (strstr(iface, "..") || strchr(iface, '/'))
>                return -1;

FWIW, this will reject too much;

/path/to/sth..jpg

-- 
Robert Święcki

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.