oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: radvd 1.8.2 released with security fixes

From: Robert Święcki <robert () swiecki net>
Date: Fri, 7 Oct 2011 15:03:57 +0200
On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala
<huzaifas () redhat com> wrote:

On 10/07/2011 04:22 AM, Solar Designer wrote:


2) An arbitrary file overwrite flaw was found in radvd's
set_interface_var() function, where it did not check the interface name
(generated by the unprivileged user) and blindly overwrites a filename
with a decimal value by the root process.  If a local attacker could
create symlinks pointing to arbitrary files on the system, they could
overwrite the target file contents.  If only radvd is compromised (e.g.
no local access), the attacker may only overwrite files with specific
names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602)


I am looking at the patch for this particular issue and it seems wrong to
me.

Patch:
https://github.com/reubenhwk/radvd/commit/92e22ca23e52066da2258df8c76a2dca8a428bcc

Shouldnt this be:

       /* No path traversal */
       if (strstr(iface, "..") || strchr(iface, '/'))
               return -1;


FWIW, this will reject too much;

/path/to/sth..jpg

-- 
Robert Święcki
Previous By Date Next
Previous By Thread Next

Current thread: