[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (
|
From: |
Florian Zumbiehl |
|
Subject: |
Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc |
|
Date: |
Fri, 15 Mar 2013 15:17:59 +0100 |
|
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Hi,
> On Fri, Mar 15, 2013 at 06:58:42AM +0100, Florian Zumbiehl wrote:
> > Remove (load)ing of ./.csirc on csi startup as it can lead to execution of
> > untrusted code.
>
> This is pretty serious. I'll request a CVE and issue an advisory
> shortly, once this patch has gone in. Attached is a slightly improved
> patch which just ignores HOME if it's empty, as that's a little
> friendlier (it's not serious if HOME is empty and it can be easily
> recovered from).
I generally prefer noisy breakage to silently fixing bogus things up, but I
guess in this case it doesn't really matter ... ;-)
> > The TOCTOU sporadic failure bug I have left in as I don't have a clue how
> > to fix that.
>
> I'm assuming you are talking about the check whether ~/.csirc exists
> before invoking LOAD on it. If there's some other TOCTOU bug, please be
> a little more verbose.
Yep, that's what I meant.
> Maybe this could be treated by catching an exception? OTOH, it shouldn't
> matter much, as the only one who should have access to ~/.csirc is the
> user himself.
Yeah, no security problem there, I think, just a "normal" correctness bug
that could cause sporadic failure (think someone unlinking their ~/.csirc
and a cron job executing csi concurrently or something).
Catching the exception doesn't really help as you cannot really figure out
what the problem was? You probably wouldn't want to ignore an I/O error,
say.
Regards, Florian