Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Mar 2011 10:11:19 +0100
From: Pierre Joye <pierre.php@...il.com>
To: oss-security@...ts.openwall.com
Cc: Dan Rosenberg <dan.j.rosenberg@...il.com>, 
	Helgi Þormar Þorbjörnsson <helgi@....net>
Subject: Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

hi,

2011/2/28 Dan Rosenberg <dan.j.rosenberg@...il.com>:
> I'm not familiar with this code or any of the context surrounding this
> fix, but it appears to be an incomplete fix.  Checking for existence
> of a symlink and then opening the resource leaves open a window during
> which a legitimate file can be replaced with a symlink.

Not sure it is fixable, or maybe using a lock on the symbolic link
while fetching its target (to be tested to be sure that such locks
cannot be overridden from shell).

> Also, I don't see a reason why a hard link couldn't be used for exploitation
> instead.

Hard link are not detectable (lstat), they are treated like normal files.

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ