oss-sec mailing list archives
Re: radvd 1.8.2 released with security fixes
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Fri, 07 Oct 2011 16:05:23 +0530
On 10/07/2011 04:22 AM, Solar Designer wrote:
2) An arbitrary file overwrite flaw was found in radvd's set_interface_var() function, where it did not check the interface name (generated by the unprivileged user) and blindly overwrites a filename with a decimal value by the root process. If a local attacker could create symlinks pointing to arbitrary files on the system, they could overwrite the target file contents. If only radvd is compromised (e.g. no local access), the attacker may only overwrite files with specific names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602)
I am looking at the patch for this particular issue and it seems wrong to me.
Patch: https://github.com/reubenhwk/radvd/commit/92e22ca23e52066da2258df8c76a2dca8a428bcc Shouldnt this be: /* No path traversal */ if (strstr(iface, "..") || strchr(iface, '/')) return -1; -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Current thread:
- radvd 1.8.2 released with security fixes Solar Designer (Oct 06)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 07)
- Re: radvd 1.8.2 released with security fixes Robert Święcki (Oct 07)
- Re: radvd 1.8.2 released with security fixes John Haxby (Oct 07)
- Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 08)
- Re: radvd 1.8.2 released with security fixes Reuben Hawkins (Oct 11)
- Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 12)
- Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 12)
- Ruby 3.0.10 WEBrick::HTTPRequest X-Forwarded-* Kurt Seifried (Oct 12)
- Re: radvd 1.8.2 released with security fixes Reuben Hawkins (Oct 14)
- Re: radvd 1.8.2 released with security fixes Robert Święcki (Oct 07)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 07)
- Re: radvd 1.8.2 released with security fixes Solar Designer (Oct 13)