On Sun, 25 Oct 2009, Pavel Kankovsky wrote:
> pavel might have detected this attack if he checked the number of
> hardlinks on "unwritable_file" between the chmod's. But he did not
> check that.
I stand corrected. He did it--in a comment:
> # check link count on unwritable_file. We would not want someone
> # to have a hard link to work around our permissions, would we?
(because their ambiguity is optimized away) and something rather
convoluted like ^((a{1,2}){1,2}){1,10}$ is needed to trigger
backtracking. See "Backtracking" in perlre manpage.
--
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /
Yes, procfs makes it possible to circument directory permissions
but it does not mean you are not playing with an armed grenade whenever
you mix chmod with the number of the Beast.
--
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /
I wonder what kind of fix has been released. Does anyone think they solved
the REAL problem?
--
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21th century edition /
Oops. "PCRE" in my response should have read "Perl". PCRE implementation
is different from the implementation included in Perl--and rather
ironically it seems PCRE is vulnerable.
--
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /
(And curmode &= ~O_RDONLY is not correct, see the rationale for
open().)
--
Pavel Kankovsky aka Peak / Jeremiah 9:21 \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /
