oss-sec mailing list archives

Re: CVE request: acl 2.2.47 always follows symlinks

From: Brandon Philips <brandon () ifup org>
Date: Wed, 23 Dec 2009 12:17:13 -0800

On 11:50 Wed 23 Dec 2009, Hanno Böck wrote:

setfacl/getfacl (part of package acl-2.2.47) contains a bug that it ignores
the --physical/-P parameter that means don't follow symlinks on -R
(recursive).

This can lead to security problems, e.g. if there's a cron script giving a
user full rwX rights for a directory, he can put a symlink there pointing to /
or /etc or whatever.
Another scenario would be a backup script saving the /home acls to a file,
every user can create an endless loop for that and prevent the script from
completing.

http://oss.sgi.com/bugzilla/show_bug.cgi?id=790
http://bugs.gentoo.org/show_bug.cgi?id=265425
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076

Fixed in upstream source, but no new release yet.


Upstream for acl and attr has moved from SGI to community hosting at
savannah.gnu.org. The latest release is here:

 http://download.savannah.gnu.org/releases-noredirect/acl/acl-2.2.49.src.tar.gz

Mailing lists, git repos, and a bug system can be found here:
 http://savannah.nongnu.org/projects/acl
 http://savannah.nongnu.org/projects/attr

Thanks,

        Brandon

Current thread:

CVE request: acl 2.2.47 always follows symlinks Hanno Böck (Dec 23)
- Re: CVE request: acl 2.2.47 always follows symlinks Steven M. Christey (Dec 23)
- <Possible follow-ups>
- Re: CVE request: acl 2.2.47 always follows symlinks Brandon Philips (Dec 23)