On Sun, Jul 19, 2015 at 10:24 AM, Ingo Schwarze <schwa...@usta.de> wrote: ... > I don't think we are vulnerable. > > If my analysis is accurate, the only user-controlled files > we open in security(8) are ~/.rhosts and ~/.shosts > in check_rhosts_content(). However, there is > > next unless -s $filename; > > right before the open(), and for fifos, -s returns false:
TOCTOU race there. If they can hit the gap and move a fifo over a normal file between the test and the open, the open will hang. Should switch to sysopen() with O_NONBLOCK. Philip