oss-sec mailing list archives

Re: radvd 1.8.2 released with security fixes

From: John Haxby <john.haxby () oracle com>
Date: Fri, 07 Oct 2011 15:41:23 +0100

On 07/10/11 14:03, Robert Święcki wrote:

On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala
<huzaifas () redhat com> wrote:

Shouldnt this be:

       /* No path traversal */
       if (strstr(iface, "..") || strchr(iface, '/'))
               return -1;

FWIW, this will reject too much;

/path/to/sth..jpg


Indeed, since I don't believe that iface can reasonably include a "/"
its sufficient to check for that.   If not then you need to check for
"../" at the beginning of iface and "/.." anywhere else in it.   But
simply forbidding "/" should be fine.

jch

Current thread:

radvd 1.8.2 released with security fixes Solar Designer (Oct 06)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 07)
  - Re: radvd 1.8.2 released with security fixes Robert Święcki (Oct 07)
    - Re: radvd 1.8.2 released with security fixes John Haxby (Oct 07)
    - Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 08)
    - Re: radvd 1.8.2 released with security fixes Reuben Hawkins (Oct 11)
    - Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 12)
    - Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 12)
    - Ruby 3.0.10 WEBrick::HTTPRequest X-Forwarded-* Kurt Seifried (Oct 12)
    - Re: radvd 1.8.2 released with security fixes Reuben Hawkins (Oct 14)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 13)
  - Re: radvd 1.8.2 released with security fixes Solar Designer (Oct 13)
    - Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 13)
    - Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 14)

(Thread continues...)