lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 19 Oct 2006 23:39:31 +0200
From:	Joerg.Schilling@...us.fraunhofer.de (Joerg Schilling)
To:	7eggert@....de
Cc:	schilling@...us.fraunhofer.de, linux-kernel@...r.kernel.org,
	kronos.it@...il.com, ismail@...dus.org.tr, 7eggert@....de
Subject: Re: Linux ISO-9660 Rock Ridge bug needs fix

Bodo Eggert <7eggert@....de> wrote:

> > > Exactly that's why I'd ignore the on-disk "inode number" and instead use
> > > the generated one untill someone comes along with a clever idea to fix
> > > the issue or can show that it's mostly hermless.
> > 
> > I could understand you in case that Linux would do some basic consistency checks
> > in the iso-9660 code already.....
>
> ISO9660-over-NFS is no big usecase, linked files on CD aren't common and 
> the current code just won't benefit from hardlinks. Therefore I don't see 
> a compelling reason to use this feature without first thinking about 
> possible attacks.

It looks like you did never really think about the problem or that you just 
don't know what you are talking about :-(

A typical UNIX standard installation has more than 3000 hard linked file name
entries in the root filesystem. There are many people who like to backup their 
root filesystem via mkisofs and all life CDs and install CDs depend on hard 
linked files.

But this seems to be a frequent way of dealing with implementation deficits:
define the problem to be not existant....


> Even if there are more holes to be plugged, punching even more holes 
> doesn't help. Instead, we should hope that someone finds the time to
> plug these holes and praise him when he comes.

It seems that you did not think about the problem...

Wrong inode numbes do not open holes, they just create a garbage in garbage out
behavior, but they will not cause the OS to panic. 

The unfixed bugs in the Linux iso-9660 implementation on the other side allow 
me to create a CD that causes Linux to panic without taking me a long time.

> > Show me another program besides mkisofs that implements inode numbers _and_ does
> > it wrong.
>
> My hacked mkisofs, which I'll use to r00t you all and gain world domination.

This is just a junk statement, describe what you believe than can be done...

Jörg

-- 
 EMail:joerg@...ily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
       js@...tu-berlin.de                (uni)  
       schilling@...us.fraunhofer.de     (work) Blog: http://schily.blogspot.com/
 URL:  http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ