Bugs item #3603899, was opened at 2013-02-08 18:29 Message generated for change (Tracker Item Submitted) made by You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603899&group_id=95403
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: Yes Submitted By: https://www.google.com/accounts () Assigned to: Nobody/Anonymous (nobody) Summary: unsafe use of dlopen(3) Initial Comment: Hello, while performing an audit of vde2 (https://bugs.launchpad.net/ubuntu/+source/vde2/+bug/776818) I found a bug; it may even be a security bug. If you decide this is a security issue, please contact the linux-distros security list to coordinate a release and request a CVE number. (See http://oss-security.openwall.org/wiki/mailing-lists/distros for details on using the linux-distros list. Note especially that [vs] is required in the Subject: header.) TRY_DLOPEN("%s%s", modname, MODULES_EXT); TRY_DLOPEN("%s%s/%s", homedir, USER_PLUGINS_DIR, modname); TRY_DLOPEN("%s%s/%s%s", homedir, USER_PLUGINS_DIR, modname, MODULES_EXT); TRY_DLOPEN("%s%s", PLUGINS_DIR, modname); TRY_DLOPEN("%s/%s%s", PLUGINS_DIR, modname, MODULES_EXT); It is generally considered poor form to load executable content from the current working directory (as this code does if getenv("HOME") fails), and loading code from a home directory seems suspect to me. However, I do not know the design well enough to make this determination myself. Please consider if this is unsafe or intentional. If it is intentional, make sure that the documentation accurately reflects the risk of allowing executable content to exist in current working directories or home directories. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=611248&aid=3603899&group_id=95403 ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ vde-users mailing list vde-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/vde-users
