On Mon, Feb 20, 2017 at 03:40:53PM +0100, Greg Kurz wrote: > The local_unlinkat() callback is vulnerable to symlink attacks because it > calls remove() which follows symbolic links in all path elements but the > rightmost one. > > This patch converts local_unlinkat() to rely on opendir_nofollow() and > unlinkat() instead. > > Most of the code is moved to a separate local_unlinkat_common() helper > which will be reused in a subsequent patch to fix the same issue in > local_remove(). > > This partly fixes CVE-2016-9602. > > Signed-off-by: Greg Kurz <gr...@kaod.org> > --- > hw/9pfs/9p-local.c | 100 > ++++++++++++++++++++++++++++++---------------------- > 1 file changed, 57 insertions(+), 43 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
signature.asc
Description: PGP signature