projects / packages / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 2be4e142 JR |
1 | From 5ebff5337594d690b322078c512eb222d34aaa82 Mon Sep 17 00:00:00 2001 |
| 2 | From: Michal Schmidt <mschmidt@redhat.com> | |
| 3 | Date: Fri, 02 Mar 2012 09:39:10 +0000 | |
| 4 | Subject: util: never follow symlinks in rm_rf_children() | |
| 5 | ||
| 6 | The function checks if the entry is a directory before recursing, but | |
| 7 | there is a window between the check and the open, during which the | |
| 8 | directory could be replaced with a symlink. | |
| 9 | ||
| 10 | CVE-2012-1174 | |
| 11 | https://bugzilla.redhat.com/show_bug.cgi?id=803358 | |
| 12 | --- | |
| 13 | diff --git a/src/util.c b/src/util.c | |
| 14 | index 20cbc2b..dfc1dc6 100644 | |
| 15 | --- a/src/util.c | |
| 16 | +++ b/src/util.c | |
| 17 | @@ -3593,7 +3593,8 @@ static int rm_rf_children(int fd, bool only_dirs, bool honour_sticky) { | |
| 18 | if (is_dir) { | |
| 19 | int subdir_fd; | |
| 20 | ||
| 21 | - if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) { | |
| 22 | + subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW); | |
| 23 | + if (subdir_fd < 0) { | |
| 24 | if (ret == 0 && errno != ENOENT) | |
| 25 | ret = -errno; | |
| 26 | continue; | |
| 27 | -- | |
| 28 | cgit v0.9.0.2-2-gbebe |