[Bug 1394590] Re: LFI Security vulnerability
[Expired for psensor (Ubuntu) because there has been no activity for 60 days.] ** Changed in: psensor (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1394590 Title: LFI Security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/psensor/+bug/1394590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1394590] Re: LFI Security vulnerability
Jean-Philippe, ah, that is a bit of an annoyance. I don't know what to recommend. The race condition I was worried about is the check for the realpath() appears to be done some point before the file is opened; a symlink could be made between those two and the end result could be the same. Of course this may or may not be a pressing issue -- php, for example, gave up trying to defend their "safe_open" family of functions that tried to restrict access to one directory tree, because it is in the end POSIX does not make this goal easy. open(2)'s O_NOFOLLOW only applies to the final component of the path, not every element in the path. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1394590 Title: LFI Security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/psensor/+bug/1394590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1394590] Re: LFI Security vulnerability
@Seth, I am the author of psensor. I did the debdiff but unfortunely there is a specific ubuntu regression The ubuntu packaging is linking /usr/share/psensor/www/jquery.js to /usr/share/javascript/jquery/jquery.js which is rejected by the fix (based on calling realpath C function)because it is not under the www directory of psensor-server. I don't have found for the moment a clean solution to this issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1394590 Title: LFI Security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/psensor/+bug/1394590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1394590] Re: LFI Security vulnerability
When coordinating with upstream, please investigate if the proposed fix is safe from race conditions. Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1394590 Title: LFI Security vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/psensor/+bug/1394590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs