Full Disclosure: Re: Symlink vulnerabilities

Re: Symlink vulnerabilities

From: vladz <vladz () devzero fr>
Date: Sun, 23 Oct 2011 20:55:33 +0200

On Fri, Oct 21, 2011 at 07:59:59PM -0400, bugs () fbi dhs org wrote:

bzexe utility:

/bin/bzexe:tmp=gz$$
/bin/bzexe:rm -f zfoo[12]$$


I reported this one several months ago (in some conditions it could lead
to a root exploit) and provided an easy solution, but no updates:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862

-- 
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Symlink vulnerabilities, (continued)
- Re: Symlink vulnerabilities Tavis Ormandy (Oct 22)
  - Re: Symlink vulnerabilities bugs (Oct 22)
    - Re: Symlink vulnerabilities Leon Kaiser (Oct 24)
    - Re: Symlink vulnerabilities bugs (Oct 24)
- Re: Symlink vulnerabilities vladz (Oct 24)
  - Re: Symlink vulnerabilities xD 0x41 (Oct 25)
    - Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
    - Re: Symlink vulnerabilities bugs (Oct 25)
    - Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
    - Re: Symlink vulnerabilities xD 0x41 (Oct 25)
    - Re: Symlink vulnerabilities Michal Zalewski (Oct 25)
    - Re: Symlink vulnerabilities xD 0x41 (Oct 25)
    - Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 25)
    - Re: Symlink vulnerabilities xD 0x41 (Oct 25)
    - Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
(Thread continues...)