|
Message-Id: <201107162135.20489.sf@sfritsch.de> Date: Sat, 16 Jul 2011 21:35:20 +0200 From: Stefan Fritsch <sf@...itsch.de> To: halfdog <me@...fdog.net> Cc: oss-security@...ts.openwall.com Subject: Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? On Saturday 16 July 2011, halfdog wrote: > Understood. I've looked at the issue more closely and found a > similar DOS-exploitable timerace and a buffer overwrite unrelated > to this. Just for study, I'm currently trying to combine 3 > timeraces + buffer overwrite + ROP to get code execution. Since > apache will quite likely fix the other two issues, they have to > touch the code anyway, so the symlink issue might be historic soon > also. I don't think the race conditions can be fixed without openat, which is available in Linux since 2.6.16 and is not available in many other flavours of UNIX. Currently, it is clear that your issue only concerns an un-supported use case of Apache httpd. IMHO it would not be wise to change httpd to support this use case on recent Linux but not on other UNIXs. And if you have a setup where the races are a problem, you can fix it outside of httpd. E.g. configure your FTP-server to deny creating of symlinks or configure SELinux/Apparmor/... accordingly.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.