Re: radvd 1.8.2 released with security fixes

[Vasiliy Kulikov <segoon () openwall com>]

On Tue, Oct 11, 2011 at 23:26 -0700, Reuben Hawkins wrote:
> On Sat, Oct 8, 2011 at 9:55 AM, Vasiliy Kulikov <segoon () openwall com> wrote:
> > On Fri, Oct 07, 2011 at 15:41 +0100, John Haxby wrote:
> > > On 07/10/11 14:03, Robert Święcki wrote:
> > > > On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala
> > > > <huzaifas () redhat com> wrote:
> > > > > Shouldnt this be:
> > > > >
> > > > >        /* No path traversal */
> > > > >        if (strstr(iface, "..") || strchr(iface, '/'))
> > > > >                return -1;
> > > > FWIW, this will reject too much;
> > > >
> > > > /path/to/sth..jpg
> > >
> > > Indeed, since I don't believe that iface can reasonably include a "/"
> > > its sufficient to check for that.   If not then you need to check for
> > > "../" at the beginning of iface and "/.." anywhere else in it.   But
> > > simply forbidding "/" should be fine.
> >
> > Crap, thank you for noticing it, guys.  The fix should be:
> >
> > https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f
> >
> > Now, "", "..", "." and filenames with "/" inside are denied.
> >
> >
> > Thanks,
> >
> > --
> > Vasiliy Kulikov
> > http://www.openwall.com - bringing security into open computing environments
>
> Are y'all waiting on me to release 1.8.3 with the latest fix?

If nobody has any complains about the fix, I think it's the right
thing to do - the bug greatly weakens the role of privsep.  It's a good
reason for the release.

Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments