FileUtils is vulnerable to symlink race attacks
-----------------------------------------------
Key: JRUBY-5524
URL: http://jira.codehaus.org/browse/JRUBY-5524
Project: JRuby
Issue Type: Bug
Components: Standard Library
Affects Versions: JRuby 1.6RC2, JRuby 1.5.6
Reporter: Hiroshi Nakamura
Assignee: Hiroshi Nakamura
(This is the same vulnerability published at
http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-race-attacks/
with the name 'FileUtils is vulnerable to symlink race attacks')
"A symlink race condition vulnerability was found in
FileUtils.remove_entry_secure. The vulnerability allows local users to delete
arbitrary files and directories."
"But please also note, that symlink race attacks are unavoidable when any of
upper directories from where you want to delete are owned by someone you cannot
trust. So if you want to be secure, you must ensure that ALL parent directories
cannot be moved by other untrusted users. For example, parent directories
should not be owned by untrusted users, and should not be world writable except
when the sticky bit set."
Patch follows for the solution.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
