Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 16 Jul 2011 21:35:20 +0200
From: Stefan Fritsch <>
To: halfdog <>
Subject: Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE?

On Saturday 16 July 2011, halfdog wrote:
> Understood. I've looked at the issue more closely and found a
> similar DOS-exploitable timerace and a buffer overwrite unrelated
> to this. Just for study, I'm currently trying to combine 3
> timeraces + buffer overwrite + ROP to get code execution. Since
> apache will quite likely fix the other two issues, they have to
> touch the code anyway, so the symlink issue might be historic soon
> also.

I don't think the race conditions can be fixed without openat, which 
is available in Linux since 2.6.16 and is not available in many other 
flavours of UNIX. Currently, it is clear that your issue only concerns 
an un-supported use case of Apache httpd. IMHO it would not be wise to 
change httpd to support this use case on recent Linux but not on other 

And if you have a setup where the races are a problem, you can fix it 
outside of httpd. E.g. configure your FTP-server to deny creating of 
symlinks or configure SELinux/Apparmor/... accordingly.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.