Opened 11 years ago
Closed 11 years ago
#279 closed defect (fixed)
muroar_connect() allows connection to ~/.roar when $HOME is not set correctly
| Reported by: | ph3-der-loewe | Owned by: | ph3-der-loewe |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | µRoar | Version: | 0.1.10 |
| Keywords: | Cc: | ||
| Architecture: | Compiler: | ||
| Difficulty: | normal | Kernel: | |
| Operating System: | Parent Tickets: | ||
| Patch attached: | no | Protocol: | UNIX |
| Sound driver: | Topic: | Security |
Description
muroar_connect() allows to connect to ~/.roar even when $HOME is not set correctly.
The following errors are in the code:
- A heading slash is enforced
- When $HOME is not set it tries to connect to "/(null)/.roar"
- When $HOME is too long to fit into the buffer it is truncated. This results in a security problem because an attacker may alter $HOME in a way letting µRoar connect to an existing server. This is mostly important for restricted environments like sudo, su, ssh when parts of the env is passed while other is rejected.
- May connect to "/invalid" if snprintf() fails (very unlikely).
Some notes:
- It supported to set the server via $ROAR_SERVER. This does not conflict with the statement above as it may be one of those rejected env variables.
- No buffer overflow was found allowing remote code or data injection. This is why I set it only to "major" not "critical".
Subtickets
Change History (2)
comment:1 Changed 11 years ago by ph3-der-loewe
- Owner set to ph3-der-loewe
- Status changed from new to accepted
comment:2 Changed 11 years ago by ph3-der-loewe
- Resolution set to fixed
- Status changed from accepted to closed
- Version changed from current to 0.1.10
Note: See
TracTickets for help on using
tickets.
This got fixed by checking $HOME to be not NULL and starting with slash. In addition the length is now checked. When there is an error ~/.roar is skipped.