oss-sec mailing list archives
Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE?
From: Stefan Fritsch <sf () sfritsch de>
Date: Sat, 16 Jul 2011 21:35:20 +0200
On Saturday 16 July 2011, halfdog wrote:
Understood. I've looked at the issue more closely and found a similar DOS-exploitable timerace and a buffer overwrite unrelated to this. Just for study, I'm currently trying to combine 3 timeraces + buffer overwrite + ROP to get code execution. Since apache will quite likely fix the other two issues, they have to touch the code anyway, so the symlink issue might be historic soon also.
I don't think the race conditions can be fixed without openat, which is available in Linux since 2.6.16 and is not available in many other flavours of UNIX. Currently, it is clear that your issue only concerns an un-supported use case of Apache httpd. IMHO it would not be wise to change httpd to support this use case on recent Linux but not on other UNIXs. And if you have a setup where the races are a problem, you can fix it outside of httpd. E.g. configure your FTP-server to deny creating of symlinks or configure SELinux/Apparmor/... accordingly.
Current thread:
- Apache symlink issue: can documented behavior be a security problem and hence get a CVE? halfdog (Jul 12)
- Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Mike O'Connor (Jul 12)
- Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Josh Bressers (Jul 12)
- Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Steven M. Christey (Jul 13)
- Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? halfdog (Jul 16)
- Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Stefan Fritsch (Jul 16)
- Re: Apache symlink issue: can documented behavior be a security problem and hence get a CVE? Steven M. Christey (Jul 13)