Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20111008165504.GA1977@albatros>
Date: Sat, 8 Oct 2011 20:55:04 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Reuben Hawkins <reubenhwk@...il.com>
Subject: Re: radvd 1.8.2 released with security fixes

On Fri, Oct 07, 2011 at 15:41 +0100, John Haxby wrote:
> On 07/10/11 14:03, Robert Święcki wrote:
> > On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala
> > <huzaifas@...hat.com> wrote:
> >> Shouldnt this be:
> >>
> >>        /* No path traversal */
> >>        if (strstr(iface, "..") || strchr(iface, '/'))
> >>                return -1;
> > FWIW, this will reject too much;
> >
> > /path/to/sth..jpg
> >
> 
> Indeed, since I don't believe that iface can reasonably include a "/"
> its sufficient to check for that.   If not then you need to check for
> "../" at the beginning of iface and "/.." anywhere else in it.   But
> simply forbidding "/" should be fine.

Crap, thank you for noticing it, guys.  The fix should be:

https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f

Now, "", "..", "." and filenames with "/" inside are denied.


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.