Re: sharutils: pending release of 4.6.3

[Pavel Roskin]

Hello!

On Sun, 2006-05-14 at 09:25 -0700, Bruce Korb wrote:
> Hi all,
> 
> Another drop of sharutils will be made in a few days. You can find the 
> "pre" here:
> 
> http://autogen.sourceforge.net/data/sharutils-4.6.3-pre1.tar.gz 
> <http://autogen.sourceforge.net/data/sharutils-4.6.3-pre1.tar.gz>

Obviously a private e-mail didn't work, so I need to be a bit more
public.

The snapshot is at pre3 now, but I see no fix for directory traversal in
uudecode:

http://www.xatrix.org/advisory.php?s=2390

"If an attacker can convince a user to invoke uudecode on a malicious
file without reviewing the included file name, the attacker can cause
the user to overwrite any file accessible by the user."

The fix currently employed in uudecode is inadequate.  It only protects
against writing to pipes and symlinks, but not to regular files (such
as /etc/passwd).  In fact, uudecode is so "friendly" that it expands
~user in untrusted filenames!

And I think freopen() is not exactly bullet-proof, as it closes the
file, giving the attacker a short window to replace it with a symlink.

I believe sharitils shouldn't be released with a well known security
hole.

I'm not exactly an expert in secure programming (I learned about
O_NOLINK as I was writing this e-mail), but if nobody can fix it, I'll
write a patch.

-- 
Regards,
Pavel Roskin