Re: mirror 2.9 hole

From: jcp (listsat_private)
Date: Wed Oct 20 1999 - 06:25:50 PDT

  • Next message: Aleph One: "CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD" 

      This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--2126599937-815788345-940425712=:10947
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.20.9910201422061.10947at_private>


version stats:
$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $

 The author of mirror, Lee McLoughlin, had this to say:

...
<QUOTE>
Anyhow.  A simple fix to overcome this problem is to add the following to your
mirror.defaults
(and to any package that overrides this setting):

name_mappings=s:\.\./:__/:g

This should convert names like:
    " ../rot"
to
    " __/rot"

BUT I'VE NOT TESTED THIS!
</QUOTE>
...

I also didn't test this.I did make a quick patch to the mirror.pl script
to warn/log about attempts. Patch included.

regards
--
Jose' Carlos Pereira


On Tue, 19 Oct 1999, Stefan Kelm wrote:

[snip]

> I can confirm the behaviour you describe for mirror.pl,v 2.8 running on
> solaris although I wasn't able to create any temporary files by using a
> "\" in either the file names or the directory names.
>
> However, the default mirror configuration shows the following part:
>
>   # Don't touch anything whose name begins with a space!
>   exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| )
>
> (you might want to quote the space character at the end)
>
> Even the man page recommends using the line above. Be careful not to
> overwrite the keyword exclude_patt in your own mirror files. If you do
> have to use exclude_patt be sure to specify somethink like:
>
>   exclude_patt+|^blah/|             (note the "+" sign!)
>
> This should not allow temporary files to be created through " ..". At
> least it didn't on my system.  :-)
>
> Cheers,
>
>         Stefan.


--2126599937-815788345-940425712=:10947
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="mirror2.9.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.20.9910201421520.10947at_private>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="mirror2.9.patch"

KioqIG1pcnJvci5wbAlNb24gSnVuICA4IDExOjU1OjI3IDE5OTgNCi0tLSAv
dXNyL2xvY2FsL21pcnJvcjIuOS9taXJyb3IJV2VkIFNlcCAyOSAxNjozNDow
MSAxOTk5DQoqKioqKioqKioqKioqKioNCioqKiAyNjU3LDI2NjIgKioqKg0K
LS0tIDI2NTcsMjcwMSAtLS0tDQogIAkkbm9fcmVuYW1lID0gKCEgJHJlbW90
ZV9oYXNfcmVuYW1lKSB8fCAoJHJlbW90ZV9mcyBlcSAnbWFjb3MnICYmICEg
JGdldF9maWxlKTsNCiAgDQogIAlmb3JlYWNoICRzcmNfcGF0aCAoIEB4ZmVy
X3NyYyApew0KKyANCisgIyMNCisgI0JFR0lOIGpjcEBFVW5ldC5wdCAxOTk5
LzA5LzI5DQorICMNCisgI0RhdGU6IFR1ZSwgMjggU2VwIDE5OTkgMTg6Mjc6
NTQgKzA0MDANCisgI0Zyb206IDNBUEEzQSA8d2lzZUB0b21jYXQucnU+DQor
ICNUbzogQlVHVFJBUUBTRUNVUklUWUZPQ1VTLkNPTQ0KKyAjU3ViamVjdDog
bWlycm9yIDIuOSBob2xlDQorICMNCisgI0hlbGxvIEJVR1RSQVFAU0VDVVJJ
VFlGT0NVUy5DT00sDQorICMNCisgI21pcnJvciBpcyBhIFBlcmwgc2NyaXB0
IHdoaWNoIGlzIHdpZGVseSB1c2VkIGZvciBtYWtpbmcgY29weSBvZiByZW1v
dGUNCisgI0ZUUCBzaXRlLiBJdCdzIGluY2x1ZGVkIGluIEZyZWVCU0QgcGFj
a2FnZXMuIFRoZXJlIGFyZSBzZWN1cml0eSBob2xlcywNCisgI3doaWNoICAg
YWxsb3dzICBvdmVyd3JpdGUgIGxvY2FsICBmaWxlcyAgZnJvbSAgcmVtb3Rl
ICBmdHAgIHNpdGUgIHdpdGgNCisgI3Blcm1pc3Npb25zICBvZiAgdGhlICB1
c2VyICB3aG8gdXNlcyBtaXJyb3IuIFRoZW4gcmV0cmlldmluZyBkaXJlY3Rv
cnkNCisgI2xpc3RpbmcgIG1pcnJvciAgZG9lc24ndCAgY2hlY2sgIGZpbGVu
YW1lIG9yIGRpcmVjdG9yeSBuYW1lIHRvIGNvbnRhaW4NCisgIyIuLiIgIG9y
ICAiXCIgIFRoaXMgIGFsbG93cyAgdG8gY3JlYXRlIG9yIG92ZXJ3cml0ZSBm
aWxlcyBpbiBkaXJlY3RvcnkNCisgI2RpZmZlcmVudCBmcm9tIGRlc3RpbmF0
aW9uLg0KKyAjDQorICNUbyAgc2ltcGx5ICB0ZXN0ICB0aGlzICBidWcgeW91
IGNhbiBjcmVhdGUgIiAuLiIgZGlyZWN0b3J5IG9uIHlvdXIgZnRwDQorICNz
aXRlICBhbmQgIG1pcnJvciAgeW91ciAgc2l0ZS4gIE1pcnJvciAgd2lsbCBj
cmVhdGUgdGVtcG9yYXJ5IGZpbGVzIGluDQorICNkaXJlY3RvcnkgIG9uZSAg
bGV2ZWwgIGhpZ2hlciAgdGhlbiAgc3BlY2lmeWVkLiAgVGhpcyB3YXkgeW91
IGNvdWxkbid0DQorICNvdmVyd3JpdGUgIHNvbWUgdXNlZnVsIGluZm9ybWF0
aW9uLCBidXQgdGhpcyBtYXkgYmUgdXNlZCwgZm9yIGV4YW1wbGUsDQorICN0
byBmaWxsIG91dCAvIGRpcmVjdG9yeSAoaWYgbWlycm9yIGlzIHJhbiBmcm9t
IHJvb3QpLg0KKyAjDQorICNCdXQgIHdpdGggcHV0dGluZyBsaXR0bGUgY2hh
bmdlcyBpbnRvIHlvdSBmdHBkIChmb3IgZXhhbXBsZSBtYWtpbmcgaGltDQor
ICNjaGFuZ2UgJ1wnIHRvICcvJyBvbiBsaXN0aW5ncykgeW91IGNhbiBmb3Jj
ZSBtaXJyb3IgdG8gb3ZlcndyaXRlIF9hbnlfDQorICNmaWxlIHdpdGggcGVy
bWlzc2lvbnMgb2YgbWlycm9yIHVzZXIgdGhlbiBoZSBtaXJyb3JzIHlvdXIg
ZnRwIHNpdGUuDQorICMNCisgIw0KKyAjVGVzdGVkIHdpdGg6DQorICMkIG1p
cnJvciAtdg0KKyAjJElkOiBtaXJyb3IucGwsdiAyLjkgMTk5OC8wNS8yOSAx
OTowMTowNyBsbWptIEV4cCBsbWptICQNCisgDQorIAkJaWYoICRzcmNfcGF0
aCA9fiAvXHcqXC5cLlwvLyl7DQorICAgICAgICAgICAgICAgICAgICAgICAg
ICZtc2coICRsb2csICJXQVJOSU5HOiBCQUQgZGlyIGRldGVjdGVkLCBza2lw
cGluZzogJHNyY19wYXRoXG4iICk7DQorIAkJCW5leHQ7DQorIAkJfQ0KKyAj
RU5EIGpjcEBFVW5ldC5wdA0KICAJCWlmKCAkZ2V0X2ZpbGUgKXsNCiAgCQkJ
JHNyY2kgPSAkcmVtb3RlX21hcHsgJHNyY19wYXRoIH07DQogIAkJfQ0K
--2126599937-815788345-940425712=:10947--

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:03 PDT