Hi, I am looking at those issues that are related, see:
http://www.openwall.com/lists/oss-security/2010/06/08/3 https://bugzilla.redhat.com/show_bug.cgi?id=599697#c7 The first one is marked as "fixed" here: http://security-tracker.debian.org/tracker/CVE-2010-2061 However, the second one is marked as "undetermined" here: http://security-tracker.debian.org/tracker/CVE-2010-2064 I looked at the code in warmstart.c and found that rpcbind uses fopen() to open XDR files in /tmp and then the xdrstdio_create() function that reuses the file descriptor returned by fopen(). Fixing CVE-2010-2064 would require to use open() and the some flags instead of fopen() since there is no way to detect a symlink with fopen(). It would then be impossible (or at least difficult) to use the xdr*() functions with the file descriptor returned by open(). Therefore fixing CVE-2010-2064 would require large changes which are outside the scope of a simple security fix. The proposed workaround to use XDR files in /var/run instead of /tmp is therefore a simple and effective fix and is IMHO opinion sufficient to also fix CVE-2010-2064. BTW, the fix for CVE-2010-2061 could have been done with defensive coding (checking the UID of files) but has been done with a simple directory change. -- Laurent Bonnaud. http://www.gipsa-lab.inpg.fr/page_pro.php?vid=96 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/1319029010.14114.25.camel@vougeot
