symbolic links
automatically on system boot/shutdown.
II. Problem Description
In multiple situations the host's jail rc.d(8) script does not check if
a path inside the jail file system structure is a symbolic link before
using the path. In particular this is the case when writing the
output from the jail start-up to /var/log/console.log and when
mounting and unmounting file systems inside the jail directory
structure.
On some systems an attacker can hardlink a root-owned symlink to
for example /var/mail, and cause Postfix to append mail to existing
files that are owned by root or non-root accounts. This can happen
on operating systems with specific non-standard behavior.
Symlinks (symbolic links) implement aliasing for UNIX pathnames.
They were introduced with 4.2BSD UNIX in 1983, and were adopted by
other UNIX systems in the course of time. Hardlinks are older and
implement the primary mechanism for accessing file system objects.
In some UNIX systems, the link(symlink, newpath) operation has
_______________________________________________________________________
Problem Description:
Sebastian Krahmer of the SUSE Security Team discovered a flaw in
the way Postfix dereferenced symbolic links. If a local user had
write access to a mail spool directory without a root mailbox file,
it could be possible for them to append arbitrary data to files that
root had write permissions to (CVE-2008-2936).
The updated packages have been patched to correct this issue.
==Description==
Deliver (http://deliver.sourceforge.net/), a mail delivery program
installed suid
root as /usr/bin/deliver, is vulnerable to several race conditions that can be
exploited by a local attacker using symbolic links. On systems using Deliver
over NFS, these attacks can result in gaining root privileges via
taking ownership
of critical system files. On other systems, these attacks can result in
denial-of-service conditions and information disclosure. In addition, users can
deny service to other users by creating lockfiles for other users' mailboxes.
remotely logged in account is the Administrator. Creating symlinks to
paths outside the directory of the given share is not possible. However
accessing a symlink in a directory which points to for example c:\
is possible. I don't say that because Samba should have the same
semnatics as Windows, but because it's implemetation of handling remote
to local and local to remote symbolic links is more secure.
After failing in auditing the Windows servers on the potential
vulnerabilites I just gave samba a try and the default configuration
of my Ubuntu Desktop System and CentOS Server allowed me to conduct the
attack out of the box. Turning off symlink support in samba closes the
hole but then no access to symlinks created by the administrator is
============================================
==Description==
fcrontab, part of the fcron scheduler, is vulnerable to several race
conditions that allow a local attacker to use symbolic links to read
unauthorized files. On systems where fcrontab is installed with its
own "fcron" group, this allows an attacker to read other non-root
users' crontabs and fcron configuration files. On systems where
fcrontab is installed suid root, this allows an attacker to read arbitrary
files.
* Hanno Boeck reported that Gallery 1 and 2 did not set the secure
flag for the session cookie in an HTTPS session (CVE-2008-3662).
* Alex Ustinov reported that Gallery 1 and 2 does not properly handle
ZIP archives containing symbolic links (CVE-2008-4129).
* The vendor reported a Cross-Site Scripting vulnerability in Gallery
2 (CVE-2008-4130).
Impact
CVE ID : CVE-2010-1679
Jakub Wilk discovered that the dpkg-source component of dpkg, the Debian
package management system, doesn't correctly handle paths in patches of
source packages, which could make it traverse directories.
Raphal Hertzog additionally discovered that symbolic links in the .pc
directory are followed, which could make it traverse directories too.
Both issues only affect source packages using the "3.0 quilt" format at
unpack-time.
Problem Description:
A vulnerabilitiy has been found and corrected in mysql:
MySQL is vulnerable to a symbolic link attack when the data home
directory contains a symlink to a different filesystem which allows
remote authenticated users to bypass intended access restrictions
(CVE-2008-7247).
The updated packages have been patched to correct these issues.
Problem Description:
A vulnerability was discovered and corrected in acl:
The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
running in recursive (-R) mode, follow symbolic links even when the
--physical (aka -P) or -L option is specified, which might allow
local users to modify the ACL for arbitrary files or directories via
a symlink attack (CVE-2009-4411).
This update provides a fix for this vulnerability.
Wherefrom: Local
Original : http://www.rdancer.org/vulnerablevim-configure.in.html
http://www.rdancer.org/vulnerablevim-configure.in.patch
Insecure temporary file creation during the build process is vulnerable
to symbolic link attacks, and arbitrary code execution. Patch provided.
2. Background
``Vim is an almost compatible version of the UNIX editor Vi. Many new
It has been discovered that the SCORM module is prone to an SQL
injection.
Additionally, an SQL injection in the update_record function, a problem
with symbolic links and a verification problem with Glossary, database
and forum ratings have been fixed.
For the stable distribution (lenny), these problems have been fixed in
version 1.8.2.dfsg-3+lenny3.
Problem Description:
A vulnerability was discovered and corrected in glib2.0:
The g_file_copy function in glib 2.0 sets the permissions of a
target file to the permissions of a symbolic link (777), which
allows user-assisted local users to modify files of other users,
as demonstrated by using Nautilus to modify the permissions of the
user home directory (CVE-2009-3289).
This update provides a solution to this vulnerability.
|
