Date: Wed, 12 Oct 2011 11:58:23 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: Reuben Hawkins <reubenhwk@...il.com> Cc: oss-security@...ts.openwall.com Subject: Re: radvd 1.8.2 released with security fixes On Tue, Oct 11, 2011 at 23:26 -0700, Reuben Hawkins wrote: > On Sat, Oct 8, 2011 at 9:55 AM, Vasiliy Kulikov <segoon@...nwall.com> wrote: > > On Fri, Oct 07, 2011 at 15:41 +0100, John Haxby wrote: > >> On 07/10/11 14:03, Robert Święcki wrote: > >> > On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala > >> > <huzaifas@...hat.com> wrote: > >> >> Shouldnt this be: > >> >> > >> >> /* No path traversal */ > >> >> if (strstr(iface, "..") || strchr(iface, '/')) > >> >> return -1; > >> > FWIW, this will reject too much; > >> > > >> > /path/to/sth..jpg > >> > > >> > >> Indeed, since I don't believe that iface can reasonably include a "/" > >> its sufficient to check for that. If not then you need to check for > >> "../" at the beginning of iface and "/.." anywhere else in it. But > >> simply forbidding "/" should be fine. > > > > Crap, thank you for noticing it, guys. The fix should be: > > > > https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f > > > > Now, "", "..", "." and filenames with "/" inside are denied. > > > > > > Thanks, > > > > -- > > Vasiliy Kulikov > > http://www.openwall.com - bringing security into open computing environments > > > > Are y'all waiting on me to release 1.8.3 with the latest fix? If nobody has any complains about the fix, I think it's the right thing to do - the bug greatly weakens the role of privsep. It's a good reason for the release. Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.