[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (
|
From: |
Peter Bex |
|
Subject: |
Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc |
|
Date: |
Fri, 15 Mar 2013 15:36:19 +0100 |
|
User-agent: |
Mutt/1.4.2.3i |
On Fri, Mar 15, 2013 at 03:17:59PM +0100, Florian Zumbiehl wrote:
> Hi,
> > On Fri, Mar 15, 2013 at 06:58:42AM +0100, Florian Zumbiehl wrote:
> > This is pretty serious. I'll request a CVE and issue an advisory
> > shortly, once this patch has gone in. Attached is a slightly improved
> > patch which just ignores HOME if it's empty, as that's a little
> > friendlier (it's not serious if HOME is empty and it can be easily
> > recovered from).
>
> I generally prefer noisy breakage to silently fixing bogus things up, but I
> guess in this case it doesn't really matter ... ;-)
I'd generally agree but in this case I think that's not a problem.
If HOME has any other "bogus" value (a nonexistent directory, say), it
will not error out either. If the file doesn't exist it won't error
either. So for consistency it makes sense to ignore empty HOME.
> > Maybe this could be treated by catching an exception? OTOH, it shouldn't
> > matter much, as the only one who should have access to ~/.csirc is the
> > user himself.
>
> Catching the exception doesn't really help as you cannot really figure out
> what the problem was? You probably wouldn't want to ignore an I/O error,
> say.
Yeah, we have a ticket about that (#416); maybe you can reopen it and
weigh with on your opinion, as this keeps popping up again and again.
Cheers,
Peter
--
http://www.more-magic.net