Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Mar 2011 10:24:48 +0000
From: Helgi Þormar Þorbjörnsson <helgith@...il.com>
To: oss-security@...ts.openwall.com
Cc: Dan Rosenberg <dan.j.rosenberg@...il.com>,
 Pierre Joye <pierre.php@...il.com>
Subject: Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

Hi, 
On 1 Mar 2011, at 09:11, Pierre Joye wrote:

> hi,
> 
> 2011/2/28 Dan Rosenberg <dan.j.rosenberg@...il.com>:
>> I'm not familiar with this code or any of the context surrounding this
>> fix, but it appears to be an incomplete fix.  Checking for existence
>> of a symlink and then opening the resource leaves open a window during
>> which a legitimate file can be replaced with a symlink.
> 
> Not sure it is fixable, or maybe using a lock on the symbolic link
> while fetching its target (to be tested to be sure that such locks
> cannot be overridden from shell).

I assume you are referring to the parts for REST.php in the patch in question?
At a second look, that part could do with improvements; I wrote up a function which takes TOCTOU into consideration.
I'll have that patch done by the end of the day.

For other situations I am using tempnam() (via the System class) as those files are only temporary and were being extracted from compressed archives; The predictability of their end destination where the centre part of the reported security problem.

- Helgi

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ