Re: d_path() truncating excessive long path name vulnerability
From: Solar Designer (solar@openwall.com)
Date: 11/28/02
- Previous message: Vagner Sacramento: "RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND"
- In reply to: Paul Szabo: "Re: d_path() truncating excessive long path name vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Nov 2002 21:00:41 +0300 From: Solar Designer <solar@openwall.com> To: Paul Szabo <psz@maths.usyd.edu.au>
On Wed, Nov 27, 2002 at 01:04:04PM +1100, Paul Szabo wrote:
> Back in March 2002, Wojciech Purczynski <cliph@isec.pl> wrote (original
> article at http://online.securityfocus.com/archive/1/264117 ):
>
> > Name: Linux kernel
> > Version: up to 2.2.20 and 2.4.18
> > ...
> > In case of excessively long path names d_path kernel internal function
> > returns truncated trailing components of a path name instead of an error
> > value. As this function is called by getcwd(2) system call and
> > do_proc_readlink() function, false information may be returned to
> > user-space processes.
>
> The problem is still present in Debian 2.4.19 kernel. I have not tried 2.5,
> but see nothing relevant in the Changelogs at http://www.kernel.org/ .
FWIW, I've included a workaround for this (covering the getcwd(2) case
only, not other uses of d_path() by the kernel or modules) in 2.2.21-ow1
patch and it went into 2.2.22 release in September.
This kind of proves the need for double-checking newer kernel branches
(2.4.x and 2.5.x currently) for fixes going into what many consider
stable kernels.
-- /sd
- Next message: vALDEUx@aol.com: "Security Patch for PortailPHP 0.99"
- Previous message: Vagner Sacramento: "RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND"
- In reply to: Paul Szabo: "Re: d_path() truncating excessive long path name vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
