Security fix for mc 4.6.0


I sent this e-mail in private the the SuSE maintainer of mc, but I think
parts of it belong to the list as well.

[quotes from my correspondent are skipped]

I must say that I only started to really understand something after doing
a massive cleanup and making significant changes.

My estimate is that VFS needs a lot of work and I'm not prepared to
provide a complete patch at this point.  However, if a fix for this
particular vulnerability is needed, then the safest approach would be to
disable conversion of absolute links to relative ones for tar and cpio

The conversion code is totally broken.  It has never been tested.  I
believe it was intended for remote filesystems (fish and ftpfs) but ended
up in a wrong place.  Really, symlink conversion makes sense for
filesystems that represent a complete "volume" including the root, which
is true for remote filesystems but not for archives.

This patch doesn't improve the functionality.  Resolution of certain
relative and absolute links is still broken.  If you start testing mc
4.6.0 with this patch you will find problems.  You will find them without
the patch as well.

This patch is unlikely to plug all holes.  If you start testing mc with
specially crafted archives, you may find other problems.  There are still
many buffers of fixed size.

The only thing this patch contains is a fix for the particular
vulnerability that was reported.  I believe it's the best approach for

Pavel Roskin
--- vfs/direntry.c
+++ vfs/direntry.c
@@ -373,6 +373,7 @@ vfs_s_resolve_symlink (vfs *me, vfs_s_en
+#if 0
     /* Convert absolute paths to relative ones */
     if (*linkname == PATH_SEP) {
 	char *p, *q;
@@ -391,6 +392,7 @@ vfs_s_resolve_symlink (vfs *me, vfs_s_en
 	linkname = buf;
     return (MEDATA->find_entry) (me, entry->dir, linkname, follow - 1, 0);

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]