CVE-2010-2061 and CVE-2010-2064
Hi,
I am looking at those issues that are related, see:
http://www.openwall.com/lists/oss-security/2010/06/08/3
https://bugzilla.redhat.com/show_bug.cgi?id=599697#c7
The first one is marked as "fixed" here:
http://security-tracker.debian.org/tracker/CVE-2010-2061
However, the second one is marked as "undetermined" here:
http://security-tracker.debian.org/tracker/CVE-2010-2064
I looked at the code in warmstart.c and found that rpcbind uses fopen()
to open XDR files in /tmp and then the xdrstdio_create() function that
reuses the file descriptor returned by fopen().
Fixing CVE-2010-2064 would require to use open() and the some flags
instead of fopen() since there is no way to detect a symlink with
fopen().
It would then be impossible (or at least difficult) to use the xdr*()
functions with the file descriptor returned by open().
Therefore fixing CVE-2010-2064 would require large changes which are
outside the scope of a simple security fix.
The proposed workaround to use XDR files in /var/run instead of /tmp is
therefore a simple and effective fix and is IMHO opinion sufficient to
also fix CVE-2010-2064.
BTW, the fix for CVE-2010-2061 could have been done with defensive
coding (checking the UID of files) but has been done with a simple
directory change.
--
Laurent Bonnaud.
http://www.gipsa-lab.inpg.fr/page_pro.php?vid=96
Reply to: