oss-sec mailing list archives
Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack
From: Vincent Danen <vdanen () redhat com>
Date: Thu, 3 Mar 2011 11:32:37 -0700
* [2011-03-01 10:24:48 +0000] Helgi ?ormar ?orbj?rnsson wrote:
Hi, On 1 Mar 2011, at 09:11, Pierre Joye wrote:hi, 2011/2/28 Dan Rosenberg <dan.j.rosenberg () gmail com>:I'm not familiar with this code or any of the context surrounding this fix, but it appears to be an incomplete fix. Checking for existence of a symlink and then opening the resource leaves open a window during which a legitimate file can be replaced with a symlink.Not sure it is fixable, or maybe using a lock on the symbolic link while fetching its target (to be tested to be sure that such locks cannot be overridden from shell).I assume you are referring to the parts for REST.php in the patch in question? At a second look, that part could do with improvements; I wrote up a function which takes TOCTOU into consideration. I'll have that patch done by the end of the day. For other situations I am using tempnam() (via the System class) as those files are only temporary and were being extracted from compressed archives; The predictability of their end destination where the centre part of the reported security problem.
I took a quick look at the svn repository and don't see any additional fixes. So this means that 1.9.2 has the original fix (CVE-2011-1072) but not the complete fix (to which MITRE has assigned CVE-2011-1144,for an incomplete fix of CVE-2011-1072)
Any word on patches to fully fix the problem yet? I guess that a 1.9.3 must be planned to come soon (which would contain the CVE-2011-1144 fixes)? --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Feb 28)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Feb 28)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 03)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 08)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 11)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Feb 28)