Jakub Lach
2009-May-26 17:42 UTC
FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability
http://www.milw0rm.com/exploits/8786 http://redmine.lighttpd.net/issues/1989 http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768 affected: FreeBSD, OSX, Solaris < 10 not affected: Linux, NetBSD, OpenBSD, DragonflyBSD, Solaris 10 -- View this message in context: http://www.nabble.com/FYI-Lighttpd-1.4.23--kernel-%28trailing-%27-%27-on-regular-file-symlink%29-vulnerability-tp23727599p23727599.html Sent from the freebsd-security mailing list archive at Nabble.com.
Dag-Erling Smørgrav
2009-May-26 21:02 UTC
FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability
[moving from security@ to hackers@] Jakub Lach <jakub_lach@mailplus.pl> writes:> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768Like bde@ pointed out, the patch is incorrect. It moves the test for v_type != VDIR up to a point where, in the case of a symlink, v_type is always (by definition) VLNK. The reason why the current code does not work is that, in the symlink case, the v_type != VDIR test is never reached: we will have jumped to either bad2 or success. However, it should be safe to move the test to after the success label, because trailing_slash is only ever true for the last component of the path we were asked to look up (see lines 520 through 535). The attached patch should work. DES -- Dag-Erling Sm?rgrav - des@des.no -------------- next part -------------- A non-text attachment was scrubbed... Name: symlink-slash.diff Type: text/x-patch Size: 748 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090526/2309e5a0/symlink-slash.bin