Re: [Nfsen-discuss] nfsen-1.3.8 released - SECURITY FIX

Wed, 25 Jan 2017 12:18:01 -0800 

On 01/25/2017 4:55 AM, Alexei Pastuchov wrote:
> quick&&  insecure solution:
> rm -t in NfProfile.pm line 3026.
>    


That didn't work for me, but I did this crude hack for addressing the 
taint issues with the vairables returned by ProfilePath.  Use at your 
own risk until a permanent fix has been released as it does *not* 
sanitize the input as it really should.


[foo@bar  libexec]# diff -c NfProfile.pm.ORIG NfProfile.pm
*** NfProfile.pm.ORIG   2017-01-25 13:18:48.443703130 -0600
--- NfProfile.pm        2017-01-25 13:10:26.418745710 -0600
***************
*** 142,147 ****
--- 142,149 ----
   sub ProfilePath {
         my $profile  = shift;
         my $profilegroup = shift;
+       $profile =~ /(.*)/ && ($profile = $1);
+       $profilegroup =~ /(.*)/ && ($profilegroup = $1);

         if ( !defined $profilegroup || $profilegroup eq '.' ) {
                 return "$profile";


-James

> 3026: $args .= "-t $_t "  if defined $profileinfo{'expire'};
>
>    
>> On 25 January 2017 at 10:17 Giles Coochey<gi...@coochey.net>  wrote:
>> I ran the upgrade and receive the following error when trying to restart
>> NFsen:
>>
>> Insecure dependency in sysopen while running with -T switch at
>> /opt/nfsen/libexec/NfProfile.pm line 836
>>
>> Any ideas?
>>
>> -- 
>> Regards,
>>
>> Giles Coochey
>> +44 (0) 7584 634 135
>> +44 (0) 1803 529 451
>> gi...@coochey.net
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! 
>> http://sdm.link/slashdot_______________________________________________
>> Nfsen-discuss mailing list
>> Nfsen-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>      
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
>    


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to