lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: mail at blazde.co.uk (Roland Postle)
Subject: Sharutils buggy?

The problem seems to be that by default uudecode uses as the output filename
the same filename used when the file was uuencoded. The fix is apparently to
stop it following symbolic links. So an attacker couldn't uuencode with a
filename that was in the /tmp directory. Then link the file in the tmp
directory to whatever they wanted. My guess is you can't specify an absolute
path (or ../) in the filename, and the assumption is that lots of people
extract these files in the tmp directory where malicous symbolic links might
reside.

Regardless it's not a 'grave' security problem as some people have said. And
no, Uuencode isn't (or shouldn't be) suid/sgid before you ask.

- Blazde

----- Original Message -----
From: "martin f krafft" <madduck@...duck.net>
To: "full-disclosure people" <full-disclosure@...ts.netsys.com>
Sent: Tuesday, July 16, 2002 12:24 AM
Subject: [Full-Disclosure] Sharutils buggy?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ