Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAD_8n+QMfYXNrxzGHhfA35trvjoCsPYNws+Q9xx_UyDzSw2r6w@mail.gmail.com>
Date: Tue, 11 Oct 2011 23:26:55 -0700
From: Reuben Hawkins <reubenhwk@...il.com>
To: Vasiliy Kulikov <segoon@...nwall.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: radvd 1.8.2 released with security fixes

On Sat, Oct 8, 2011 at 9:55 AM, Vasiliy Kulikov <segoon@...nwall.com> wrote:
> On Fri, Oct 07, 2011 at 15:41 +0100, John Haxby wrote:
>> On 07/10/11 14:03, Robert Święcki wrote:
>> > On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala
>> > <huzaifas@...hat.com> wrote:
>> >> Shouldnt this be:
>> >>
>> >>        /* No path traversal */
>> >>        if (strstr(iface, "..") || strchr(iface, '/'))
>> >>                return -1;
>> > FWIW, this will reject too much;
>> >
>> > /path/to/sth..jpg
>> >
>>
>> Indeed, since I don't believe that iface can reasonably include a "/"
>> its sufficient to check for that.   If not then you need to check for
>> "../" at the beginning of iface and "/.." anywhere else in it.   But
>> simply forbidding "/" should be fine.
>
> Crap, thank you for noticing it, guys.  The fix should be:
>
> https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f
>
> Now, "", "..", "." and filenames with "/" inside are denied.
>
>
> Thanks,
>
> --
> Vasiliy Kulikov
> http://www.openwall.com - bringing security into open computing environments
>

Are y'all waiting on me to release 1.8.3 with the latest fix?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.