Date: Tue, 1 Mar 2011 10:11:19 +0100 From: Pierre Joye <pierre.php@...il.com> To: oss-security@...ts.openwall.com Cc: Dan Rosenberg <dan.j.rosenberg@...il.com>, Helgi Þormar Þorbjörnsson <helgi@....net> Subject: Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack hi, 2011/2/28 Dan Rosenberg <dan.j.rosenberg@...il.com>: > I'm not familiar with this code or any of the context surrounding this > fix, but it appears to be an incomplete fix. Checking for existence > of a symlink and then opening the resource leaves open a window during > which a legitimate file can be replaced with a symlink. Not sure it is fixable, or maybe using a lock on the symbolic link while fetching its target (to be tested to be sure that such locks cannot be overridden from shell). > Also, I don't see a reason why a hard link couldn't be used for exploitation > instead. Hard link are not detectable (lstat), they are treated like normal files. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ