[Yum-devel] [PATCH 2/2] Preload packages from user cachedirs
tim.lauridsen at gmail.com
tim.lauridsen at gmail.com
Tue Sep 11 10:34:07 UTC 2012
On Mon, Sep 10, 2012 at 11:14 PM, James Antill <james at fedoraproject.org>wrote:
> On Mon, 2012-09-10 at 18:57 +0200, tim.lauridsen at gmail.com wrote:
> > On Mon, Sep 10, 2012 at 3:51 PM, Zdeněk Pavlas <zpavlas at redhat.com>
> wrote:
> [...]
> > > + st = misc.stat_f(user)
> > > + if st and st.st_size == po.size:
> > > + try:
> > > + shutil.copy2(user, local) # user-writable,
> > > must copy
> > > + if po.verifyLocalPkg():
>
> > No problem with the code, but is this safe to just copy packages from a
> > unpriv user tmp directory from a security point of view ?
> > Can it be used for injection of infected packages from a unpriv user ?
>
> In theory the user can do "bad things" to the file between the stat()
> and the copy() (Eg. make the file 666x bigger) ... but the window is
> really small, and the attack will only last until we hit EOF and then
> verifyLocalPkg() will get it rm'd. Probably the worst is if the user can
> replace the original file with pipe in that window (then we'll never hit
> EOF until they tell us to).
> If we are pushed, we can create our own copy() that takes an inode +
> maxsize and checks both as it copies.
> In general I'm much more worried about tree walking from a security POV
> (Esp. given there have been actual DOS attacks involving glob()).
>
> But on the other side, we have to worry even less about it if we only
> look at a specified path.
>
> _______________________________________________
> Yum-devel mailing list
> Yum-devel at lists.baseurl.org
> http://lists.baseurl.org/mailman/listinfo/yum-devel
>
Ok, ACK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.baseurl.org/pipermail/yum-devel/attachments/20120911/f5678066/attachment.html>
More information about the Yum-devel
mailing list