[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tiger-user] WARNING: Security vulnerability discovered in Tiger's real
|
From: |
Javier Fernández-Sanguino Peña |
|
Subject: |
[Tiger-user] WARNING: Security vulnerability discovered in Tiger's realpath |
|
Date: |
Fri, 9 May 2003 20:49:36 +0200 |
|
User-agent: |
Mutt/1.5.3i |
A security vulnerability has been detected by Steve Grub [1] in the
c/realpath.c program which is distributed in all Tiger versions. The
realpath function used did not proper limit the input to it which could
cause a buffer overflow.
In some operating systems it might be possible to crash realpath if the
filesystem has a file which is checked by the Tiger scripts and has an
overlong filepath. A malicious local user might create such a path by
creating recursive directories in a directory where he has write access and
wait for a cron job to access it. It's not clear, however, if it would be
directly exploitable (the name of the file which overflows the buffer would
need to include characters which may not be permitted in the underlying
file system)
Realpath is used by some of Tiger checks including:
- the 'find_files' check which calls sub/check_link. This check will run if
Tiger_Check_Filesystem is set to 'Y'.
- the 'check_aliases' check
- the 'check_cron' check
- the 'check_inetd' check
- the 'check_path' check
- the 'check_printcap' check
The only one of these checks that will browse the full filesystem is
'find_files', other checks' use of realpath is limited to the local system
configuration. Users who cannot patch Tiger (see below) have to consider
disabling temporarily this check from the configuration files tigerrc and
cronrc. Notice, that this check is run by default from Tiger's cron setup
once a month.
A patch for the current unstable version (from 3.0 to 3.2rc3) has been
provided and is available from the CVS sources:
http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/c/realpath.c.diff?r1=1.1&r2=1.2
This patch will be included in the future 3.2 stable release.
Also, a patch for older versions (2.2.4) has been made available:
http://savannah.nongnu.org/download/tiger/stable.pkg/2.2.4/tiger-2.2.4p1-patch2
I would like to thank Steve Grub for reporting this issue.
Javier Fernandez-Sanguino
[1] http://mail.gnu.org/archive/html/tiger-devel/2003-04/msg00001.html
pgp5nkFXnp0cy.pgp
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Tiger-user] WARNING: Security vulnerability discovered in Tiger's realpath,
Javier Fernández-Sanguino Peña <=