Re: radvd 1.8.2 released with security fixes

[Robert Święcki <robert () swiecki net>]

On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala
<huzaifas () redhat com> wrote:
> On 10/07/2011 04:22 AM, Solar Designer wrote:
> > 2) An arbitrary file overwrite flaw was found in radvd's
> > set_interface_var() function, where it did not check the interface name
> > (generated by the unprivileged user) and blindly overwrites a filename
> > with a decimal value by the root process.  If a local attacker could
> > create symlinks pointing to arbitrary files on the system, they could
> > overwrite the target file contents.  If only radvd is compromised (e.g.
> > no local access), the attacker may only overwrite files with specific
> > names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602)
>
> I am looking at the patch for this particular issue and it seems wrong to
> me.
>
> Patch:
> https://github.com/reubenhwk/radvd/commit/92e22ca23e52066da2258df8c76a2dca8a428bcc
>
> Shouldnt this be:
>
>        /* No path traversal */
>        if (strstr(iface, "..") || strchr(iface, '/'))
>                return -1;

FWIW, this will reject too much;

/path/to/sth..jpg

-- 
Robert Święcki