[This bug could potentially create serious problems if someone is malicious and smart enough to exploit it. Please upgrade fileutils -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Return-Path: <[EMAIL PROTECTED]> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Reply-To: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII From: Wojciech Purczynski <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: GNU fileutils - recursive directory removal race condition Date: Mon, 11 Mar 2002 00:21:23 +0100 (CET) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Name: fileutils Version: 4.1 stable and 4.1.6 development version Homepage: http://www.gnu.org/software/fileutils/fileutils.html Author: Wojciech Purczynski <[EMAIL PROTECTED]> Date: March 10, 2002 Issue: ====== Race condition in various utilities from fileutils GNU package may cause root user to delete the whole filesystem. Description: ============ The GNU File Utilities are the basic file-manipulation utilities of the GNU operating system. Details: ======== An insecure chdir("..") syscall is done after removing content of a subdirectory in order to get back to the upper directory during recursive removal of directory tree. Example of 'rm -fr /tmp/a' removing '/tmp/a/b/c' directory tree: (strace output simplified for better readability) chdir("/tmp/a") = 0 chdir("b") = 0 chdir("c") = 0 chdir("..") = 0 rmdir("c") = 0 chdir("..") = 0 rmdir("b") = 0 fchdir(3) = 0 rmdir("/tmp/a") = 0 After current directory is changed to /tmp/a/b/c a race condition occurs. If we then move /tmp/a/b/c directory to the /tmp/c two subsequent chdir("..") syscalls will move to the root directory / and rm will start removing files from the whole file systems if it has enough privileges (i.e. if called by root user). Timeframe of this race condition depends on how complicated directory structure is. The same issue affects also mv utility when source and destination directory lie on different filesystems and they are removed after creating copy on destination. Impact: ======= Unprivileged users may launch daemon program that will detect the removal operation of user's directories and exploit race condition leading to Denial of Service. Fix: ==== On March 7, 2002 we have contacted with developers of GNU fileutils package. On March 9, 2002 a patch fixing this vulnerability has been released for the latest 4.1.6 development version: http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html - -- Wojciech Purczynski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8i+qNC+8U3Z5wpu4RAghyAJ9GGyLa/su8zTYhTo4nM0pIKQWaoQCfcHpL ou2hoatHjGW+V05SB2LrS9g= =kD85 -----END PGP SIGNATURE----- ------------------------------ End of this Digest ****************** -- Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ================================================ To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org =================================================
