reopen 645516 retitle 645516 hardlink: Security issue on changing trees thanks
On Sun, Oct 16, 2011 at 05:24:17PM +0200, Julian Andres Klode wrote: > On Sun, Oct 16, 2011 at 05:08:08PM +0200, Luciano Bello wrote: > > Package: hardlink > > Severity: grave > > Tags: security > > > > Hi Julian, > > A security problem in hardlink had been reported: > > http://www.openwall.com/lists/oss-security/2011/10/15/2 > > > > The report refers to Fedora. Can you check if any Debian version is > > affected? > > It affects a version of hardlink written in C. Our version is > written in Python. Both have the same name, but are implemented > differently. Well, they are implemented differently but still both affected by the attack stated in CVE-2011-3632. The following patch will be included in the next release of hardlink. From fc4da208525366aba289c7a150eb8a7d304d2238 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode <j...@debian.org> Date: Tue, 28 Feb 2012 16:27:11 +0100 Subject: [PATCH 1/2] Document security issues (Closes: #645516, like CVE-2011-3632) It seems that we are just as well affected by the same problem as CVE-2011-3632 in the original hardlink.c tool. --- debian/changelog | 1 + hardlink.1 | 9 +++++++++ 2 files changed, 10 insertions(+), 0 deletions(-) diff --git a/debian/changelog b/debian/changelog index 21922b7..1649e07 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ hardlink (0.1.2) UNRELEASED; urgency=low * Support files on the command line (Closes: #608864) * Mention duplicate and identical in the description (Closes: #619851) + * Document security issues (Closes: #645516, like CVE-2011-3632) * Upgrade to debhelper 9 * Upgrade to Policy 3.9.3 and copyright-format 1.0 diff --git a/hardlink.1 b/hardlink.1 index 71e7632..83ce1c0 100644 --- a/hardlink.1 +++ b/hardlink.1 @@ -54,6 +54,15 @@ is used without \-\-exclude, only files matched by the pattern are included. .B hardlink takes one or more directories which will be searched for files to be linked. +.SH BUGS +.B hardlink +assumes that the trees it operates on do not change during +operation. If a tree does change, the result is undefined and potentially +dangerous. For example, if a regular file is replaced by a device, hardlink +may start reading from the device. If a component of a path is replaced by +a symbolic link or file permissions change, security may be compromised. Do +not run hardlink on a changing tree or on a tree controlled by another user. + .SH AUTHOR The program hardlink and this manpage have been written by Julian Andres Klode, and are licensed under the MIT license. See the code of hardlink for further -- 1.7.9.1 -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
pgpGKJgjQyA06.pgp
Description: PGP signature
