oss-sec mailing list archives
Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack
From: Helgi Þormar Þorbjörnsson <helgith () gmail com>
Date: Tue, 1 Mar 2011 10:24:48 +0000
Hi, On 1 Mar 2011, at 09:11, Pierre Joye wrote:
hi, 2011/2/28 Dan Rosenberg <dan.j.rosenberg () gmail com>:I'm not familiar with this code or any of the context surrounding this fix, but it appears to be an incomplete fix. Checking for existence of a symlink and then opening the resource leaves open a window during which a legitimate file can be replaced with a symlink.Not sure it is fixable, or maybe using a lock on the symbolic link while fetching its target (to be tested to be sure that such locks cannot be overridden from shell).
I assume you are referring to the parts for REST.php in the patch in question? At a second look, that part could do with improvements; I wrote up a function which takes TOCTOU into consideration. I'll have that patch done by the end of the day. For other situations I am using tempnam() (via the System class) as those files are only temporary and were being extracted from compressed archives; The predictability of their end destination where the centre part of the reported security problem. - Helgi
Current thread:
- CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Feb 28)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Feb 28)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 03)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 08)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 11)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Feb 28)