Bug 426548 (CVE-2007-6514)
Summary: | CVE-2007-6514 When document is on smbfs, a trailing backslash at the end of file name bypasses content type match | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Lubomir Kundrak <lkundrak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jlayton, jorton, ssorce |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6514 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-09 18:16:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lubomir Kundrak
2007-12-21 22:21:42 UTC
So it seems there is code in smbfs/dir.c to make sure that a EINTR is returned if an attempt is made to open a file containing a backslash. Where the EINTR is returned, Apache reports a permission denied error: [Wed Jan 09 16:39:06 2008] [error] [client 127.0.0.1] (22)Invalid argument: access to /rachel/test.php\\ failed This code exists in RHEL3,4,5 and therefore this is not an issue for RHEL3,4,5. But the check is not there in the RHEL2.1 kernel, so we'd need to check what happens there. Testing on RHEL2.1: # uname -r 2.4.9-e.72 # grep scratch /proc/mounts //salusa/scratch /mnt/scratch smbfs rw 0 0 # strace -f cat '/mnt/scratch/hosts.php\' ... open("/mnt/scratch/hosts.php\\", O_RDONLY|O_LARGEFILE) = -1 EINVAL (Invalid argument) ... ...unless apache is doing something different at the syscall level, I'd say that RHEL2.1 doesn't seem to be susceptible to this either. It might be good to run apache with '-X' so that it's single threaded and then strace it and see if you can determine what it's doing when it tries to open the file. There's a chance that it uses some oddball set of flags or something that could be affecting the outcome here. Ah, it works differently for me on my older kernel rhel-2.1 # uname -r 2.4.9-e.49 # mount -t smbfs //rachel/delme1 /mnt/rachel # cat /mnt/rachel/test.php\\\\\\\\\ <?php.... Okay, so the backtick patch is backported in linux-2.4.9-updates.patch therefore an up to date RHEL2.1 kernel is also not affected by this issue. Fixed in rhel2.1 kernel by RHSA-2007:0672 |