Hi, > This is from a post I made to BugTraq on September 17, entitled > "A few bugs...". If you're running Linux, it appears kernels pre 2.1 will > not be affected by this bug as they do not follow symlinks when creating > UNIX domain sockets (Solar Designer pointed this out after trying the > exploit on a 2.0.38 kernel; I tested on a 2.0.34 kernel, and from there > I'm generalizing). The same applies to mknod(2), which follows dangling symlinks on Linux 2.2, but doesn't on 2.0. I've changed the code not to follow such symlinks for both mknod(2) and bind(2), in 2.2.12-ow6. As I am posting this anyway, -- other changes to the -ow patch for 2.2 since I've announced it here include the real exit_signal fix, and the TCP sequence number fix I took from 2.2.13pre14. (Speaking of the latter, it's funny how most of the randomness went into the wrong place on the stack, and probably remained unnoticed because of the fairly large and unused at the time "struct tcp_opt". 2.0 isn't vulnerable. Yet another reason to continue running 2.0.38.) Signed, Solar Designer
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:40 PDT