CVE-2010-2061 and CVE-2010-2064

To: debian-security-tracker@lists.debian.org
Subject: CVE-2010-2061 and CVE-2010-2064
From: Laurent Bonnaud <Laurent.Bonnaud@inpg.fr>
Date: Wed, 19 Oct 2011 14:56:50 +0200
Message-id: <[🔎] 1319029010.14114.25.camel@vougeot>

Hi,

I am looking at those issues that are related, see:

  http://www.openwall.com/lists/oss-security/2010/06/08/3
  https://bugzilla.redhat.com/show_bug.cgi?id=599697#c7

The first one is marked as "fixed" here:

  http://security-tracker.debian.org/tracker/CVE-2010-2061

However, the second one is marked as "undetermined" here:

  http://security-tracker.debian.org/tracker/CVE-2010-2064

I looked at the code in warmstart.c and found that rpcbind uses fopen()
to open XDR files in /tmp and then the xdrstdio_create() function that
reuses the file descriptor returned by fopen().

Fixing CVE-2010-2064 would require to use open() and the some flags
instead of fopen() since there is no way to detect a symlink with
fopen().

It would then be impossible (or at least difficult) to use the xdr*()
functions with the file descriptor returned by open().

Therefore fixing CVE-2010-2064 would require large changes which are
outside the scope of a simple security fix.

The proposed workaround to use XDR files in /var/run instead of /tmp is
therefore a simple and effective fix and is IMHO opinion sufficient to
also fix CVE-2010-2064.

BTW, the fix for CVE-2010-2061 could have been done with defensive
coding (checking the UID of files) but has been done with a simple
directory change.

-- 
Laurent Bonnaud.
http://www.gipsa-lab.inpg.fr/page_pro.php?vid=96

Reply to:

Prev by Date: Re: CVE-2011-1006
Next by Date: CVE-2011-3188
Previous by thread: Re: CVE-2011-1006
Next by thread: CVE-2011-3188
Index(es):
- Date
- Thread