Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Mar 2011 12:39:06 +0000
From: Helgi Þormar Þorbjörnsson <>
To: Dan Rosenberg <>
Cc: Pierre Joye <>,
Subject: Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

On 1 Mar 2011, at 12:19, Dan Rosenberg wrote:

>> Not sure it is fixable, or maybe using a lock on the symbolic link
>> while fetching its target (to be tested to be sure that such locks
>> cannot be overridden from shell).
> The easiest way is to just open the target with the O_NOFOLLOW flag to
> avoid following symlinks and abort on failure.  If you need to support
> systems that don't have this flag, then perhaps you could consider
> using an application-specific temporary directory instead of operating
> in the world-writable /tmp.

The PEAR installer does use /tmp (and whatever the Windows equivalent is) by default unless the user opts into a local installation or does indeed change the configuration to use other temp/download/cache directories so users can guard themselves with a good setup.

A flag like that would be handy but doesn't exist (yet) in PHP. 

I moved over to using the O_CREAT|O_EXCL equivalent in PHP when creating new files and lstat + fopen + fstat and comparing mode/ino/dev before writing to an existing file for the cache. I could add an nlink check to that as well.
The current version I've been playing around with is located at - It is missing the nlink part but it should be able to deal with TOCTOU problems. That code snippet hasn't been committed as I consider it work-in-progress still.

Any comments / suggestions are welcome, I did write that one quite late last night :-)

- Helgi

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ