bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sharutils: pending release of 4.6.3

From: Bruce Korb
Subject: Re: sharutils: pending release of 4.6.3
Date: Wed, 17 May 2006 15:54:04 -0700 
Hi Pavel,


Obviously a private e-mail didn't work, so I need to be a bit more public.


Oops.  Sorry the email did not work.


.... I see no fix for directory traversal in uudecode:

http://www.xatrix.org/advisory.php?s=2390

"If an attacker can convince a user to invoke uudecode on a malicious
file without reviewing the included file name, the attacker can cause
the user to overwrite any file accessible by the user."

The fix currently employed in uudecode is inadequate.  It only protects
against writing to pipes and symlinks, but not to regular files (such
as /etc/passwd).  In fact, uudecode is so "friendly" that it expands
~user in untrusted filenames!

And I think freopen() is not exactly bullet-proof, as it closes the
file, giving the attacker a short window to replace it with a symlink.

I believe sharitils shouldn't be released with a well known security
hole.

I'm not exactly an expert in secure programming (I learned about
O_NOLINK as I was writing this e-mail), but if nobody can fix it, I'll
write a patch.


"O_NOLINK" would have to be tested for at compile time.
There is also a missing man page, apparently.  (Debian requires a
man page for everything that can be invoked at the command line.)
So, if you're willing to write the patch, please do so and I will happily
incorporate it.  I'll do the man page shortly.  CVS access info is here:

http://savannah.gnu.org/cvs/?group=sharutils

Thanks for your help.  Regards, Bruce
reply via email to
[Prev in Thread] Current Thread [Next in Thread]