mailing list archives
Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack
From: Helgi Þormar Þorbjörnsson <helgith () gmail com>
Date: Tue, 8 Mar 2011 23:20:28 +0000
On 1 Mar 2011, at 12:39, Helgi Þormar Þorbjörnsson wrote:
On 1 Mar 2011, at 12:19, Dan Rosenberg wrote:
Not sure it is fixable, or maybe using a lock on the symbolic link
while fetching its target (to be tested to be sure that such locks
cannot be overridden from shell).
The easiest way is to just open the target with the O_NOFOLLOW flag to
avoid following symlinks and abort on failure. If you need to support
systems that don't have this flag, then perhaps you could consider
using an application-specific temporary directory instead of operating
in the world-writable /tmp.
The PEAR installer does use /tmp (and whatever the Windows equivalent is) by default unless the user opts into a
local installation or does indeed change the configuration to use other temp/download/cache directories so users can
guard themselves with a good setup.
A flag like that would be handy but doesn't exist (yet) in PHP.
I moved over to using the O_CREAT|O_EXCL equivalent in PHP when creating new files and lstat + fopen + fstat and
comparing mode/ino/dev before writing to an existing file for the cache. I could add an nlink check to that as well.
The current version I've been playing around with is located at https://gist.github.com/848371 - It is missing the
nlink part but it should be able to deal with TOCTOU problems. That code snippet hasn't been committed as I consider
it work-in-progress still.
Any comments / suggestions are welcome, I did write that one quite late last night :-)
Here is the latest fix for the TOCTOU (e.g. time-of-check-time-of-use) problem: http://news.php.net/php.pear.core/9791
- A proper mix of lstat, fopen, fstat (to ensure no one has messed around with the file pointer between the check and
getting the handler) as well as adding in a nlink check to make sure it is 1.
Hopefully this is enough to fix the problem you had with my earlier fixes and get me the CVE number.
Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Josh Bressers (Feb 28)