File bnc721968_2.patch of Package radvd.import5316

Overview Repositories Revisions Requests Users Attributes Meta

File bnc721968_2.patch of Package radvd.import5316

References: CVE-2011-3602, bnc#721968
commit 92e22ca23e52066da2258df8c76a2dca8a428bcc
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Tue Oct 4 00:33:15 2011 -0700

set_interface_var() doesn't check interface name and blindly does
    fopen(path "/" ifname, "w") on it.  As "ifname" is an untrusted input, it
    should be checked for ".." and/or "/" in it.  Otherwise, an infected
    unprivileged daemon may overwrite contents of file named "mtu",
    "hoplimit", etc. in arbitrary location with arbitrary 32-bit value in
    decimal representation ("%d").  If an attacker has a local account or
    may create arbitrary symlinks with these names in any location (e.g.
    /tmp), any file may be overwritten with a decimal value.

commit 7a1471b62da88373e8f4209d503307c5d841b81f
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Sat Oct 8 09:26:58 2011 -0700

checking iface name more carefully
    
    modified:   device-linux.c

Index: radvd-1.3/device-linux.c
===================================================================
--- radvd-1.3.orig/device-linux.c	2008-01-24 18:08:46.000000000 +0100
+++ radvd-1.3/device-linux.c	2011-10-19 12:17:33.000000000 +0200
@@ -237,6 +237,10 @@ set_interface_var(const char *iface,
 	if (snprintf(spath, sizeof(spath), var, iface) >= sizeof(spath))
 		return -1;
 
+	/* No path traversal */
+	if (!iface[0] || !strcmp(iface, ".") || !strcmp(iface, "..") || strchr(iface, '/'))
+		return -1;
+
 	if (access(spath, F_OK) != 0)
 		return -1;

Places

File bnc721968_2.patch of Package radvd.import5316

Places