On Sun, Jun 21, 2015 at 02:56:36PM +0200, Hilko Bengen wrote:
> * Salvatore Bonaccorso:
> 
> > Did you had a chance to get more details on it?
> 
> ,----[ http://seclists.org/bugtraq/2015/Jun/53 ]
> | Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered
> | attack on other applications on the system. The snapshot API may be used
> | indirectly to place snapshot metadata files into locations that are
> | writeable by the user running the Elasticsearch process. It is possible
> | to create a file that another application could read and take action on,
> | such as code execution.
> `----
> 
> Looking at upstream's commits leading to 1.6.0, this seems like a
> candidate:
> 
> ,----
> | commit dedbe528d5da95fdb6cccd1d0483aa0ca2c07563
> | Author: jaymode <jay.m...@elasticsearch.com>
> | Date:   Fri May 29 11:14:46 2015 -0400
> | 
> |     Snapshot/Restore: fix check for locations in a repository path
> |     
> |     Currently, when trying to determine if a location is within one of the 
> configured repository
> |     paths, we compare a canonical path against an absolute path. These are 
> not always
> |     equivalent and this check will fail even when the same directory is 
> used. This changes
> |     the logic to to follow that of master, where we use normalized absolute 
> path comparisons. A
> |     test has been added that failed with the old code and now passes with 
> the updated method.
> `----

That seems plausible, yes.

Cheers,
        Moritz

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to