Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 28 Feb 2011 14:40:36 -0500
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Cc: Helgi Þormar Þorbjörnsson <helgi@....net>
Subject: Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

I'm not familiar with this code or any of the context surrounding this
fix, but it appears to be an incomplete fix.  Checking for existence
of a symlink and then opening the resource leaves open a window during
which a legitimate file can be replaced with a symlink.  Also, I don't
see a reason why a hard link couldn't be used for exploitation
instead.

-Dan

2011/2/28 Helgi Þormar Þorbjörnsson <helgi@....net>:
> The lack of symlink checks in the PEAR installer 1.9.1 <= while doing
> installation and upgrades, which initiate various system write
> operations, can cause privileged users unknowingly to overwrite
> critical system files.
>
> Further information can be found in this temporary advisory
> http://pear.php.net/advisory-20110228.txt and the
>
> Fixes can be found at http://news.php.net/php.pear.cvs/61264
>
> - Helgi
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.