FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability

Wed May 27 10:10:59 UTC 2009

Dag-Erling, *, good day.

Tue, May 26, 2009 at 10:13:21PM +0200, Dag-Erling Sm??rgrav wrote:
> [moving from security@ to hackers@]
> 
> Jakub Lach <jakub_lach at mailplus.pl> writes:
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768
> 
> Like bde@ pointed out, the patch is incorrect.  It moves the test for
> v_type != VDIR up to a point where, in the case of a symlink, v_type is
> always (by definition) VLNK.
> 
> The reason why the current code does not work is that, in the symlink
> case, the v_type != VDIR test is never reached: we will have jumped to
> either bad2 or success.  However, it should be safe to move the test to
> after the success label, because trailing_slash is only ever true for
> the last component of the path we were asked to look up (see lines 520
> through 535).

May be the attached patch will fix the thing?  It works for me for 7.2
with WITNESS and INVARIANTS enabled.  It adds an additional flag, but
this was the only thing I was able to invent to avoid ABI breakage.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vfs_lookup-trailing-symlink-with-slash.diff
Type: text/x-diff
Size: 5532 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20090527/b99db350/vfs_lookup-trailing-symlink-with-slash.bin