[12287] in bugtraq
Re: mirror 2.9 hole
daemon@ATHENA.MIT.EDU (jcp)
Wed Oct 20 13:31:14 1999
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="2126599937-815788345-940425712=:10947"
Content-Id: <Pine.LNX.4.20.9910201422060.10947@misty.EUnet.pt>
Message-Id: <Pine.LNX.4.20.9910201409290.10947-200000@misty.EUnet.pt>
Date: Wed, 20 Oct 1999 14:25:50 +0100
Reply-To: jcp <lists@MISTY.EUNET.PT>
From: jcp <lists@MISTY.EUNET.PT>
X-To: Stefan Kelm <kelm@PCA.DFN.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199910191523.RAA15824@procert.cert.dfn.de>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--2126599937-815788345-940425712=:10947
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.20.9910201422061.10947@misty.EUnet.pt>
version stats:
$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $
The author of mirror, Lee McLoughlin, had this to say:
...
<QUOTE>
Anyhow. A simple fix to overcome this problem is to add the following to your
mirror.defaults
(and to any package that overrides this setting):
name_mappings=s:\.\./:__/:g
This should convert names like:
" ../rot"
to
" __/rot"
BUT I'VE NOT TESTED THIS!
</QUOTE>
...
I also didn't test this.I did make a quick patch to the mirror.pl script
to warn/log about attempts. Patch included.
regards
--
Jose' Carlos Pereira
On Tue, 19 Oct 1999, Stefan Kelm wrote:
[snip]
> I can confirm the behaviour you describe for mirror.pl,v 2.8 running on
> solaris although I wasn't able to create any temporary files by using a
> "\" in either the file names or the directory names.
>
> However, the default mirror configuration shows the following part:
>
> # Don't touch anything whose name begins with a space!
> exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| )
>
> (you might want to quote the space character at the end)
>
> Even the man page recommends using the line above. Be careful not to
> overwrite the keyword exclude_patt in your own mirror files. If you do
> have to use exclude_patt be sure to specify somethink like:
>
> exclude_patt+|^blah/| (note the "+" sign!)
>
> This should not allow temporary files to be created through " ..". At
> least it didn't on my system. :-)
>
> Cheers,
>
> Stefan.
--2126599937-815788345-940425712=:10947
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="mirror2.9.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.20.9910201421520.10947@misty.EUnet.pt>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="mirror2.9.patch"
KioqIG1pcnJvci5wbAlNb24gSnVuICA4IDExOjU1OjI3IDE5OTgNCi0tLSAv
dXNyL2xvY2FsL21pcnJvcjIuOS9taXJyb3IJV2VkIFNlcCAyOSAxNjozNDow
MSAxOTk5DQoqKioqKioqKioqKioqKioNCioqKiAyNjU3LDI2NjIgKioqKg0K
LS0tIDI2NTcsMjcwMSAtLS0tDQogIAkkbm9fcmVuYW1lID0gKCEgJHJlbW90
ZV9oYXNfcmVuYW1lKSB8fCAoJHJlbW90ZV9mcyBlcSAnbWFjb3MnICYmICEg
JGdldF9maWxlKTsNCiAgDQogIAlmb3JlYWNoICRzcmNfcGF0aCAoIEB4ZmVy
X3NyYyApew0KKyANCisgIyMNCisgI0JFR0lOIGpjcEBFVW5ldC5wdCAxOTk5
LzA5LzI5DQorICMNCisgI0RhdGU6IFR1ZSwgMjggU2VwIDE5OTkgMTg6Mjc6
NTQgKzA0MDANCisgI0Zyb206IDNBUEEzQSA8d2lzZUB0b21jYXQucnU+DQor
ICNUbzogQlVHVFJBUUBTRUNVUklUWUZPQ1VTLkNPTQ0KKyAjU3ViamVjdDog
bWlycm9yIDIuOSBob2xlDQorICMNCisgI0hlbGxvIEJVR1RSQVFAU0VDVVJJ
VFlGT0NVUy5DT00sDQorICMNCisgI21pcnJvciBpcyBhIFBlcmwgc2NyaXB0
IHdoaWNoIGlzIHdpZGVseSB1c2VkIGZvciBtYWtpbmcgY29weSBvZiByZW1v
dGUNCisgI0ZUUCBzaXRlLiBJdCdzIGluY2x1ZGVkIGluIEZyZWVCU0QgcGFj
a2FnZXMuIFRoZXJlIGFyZSBzZWN1cml0eSBob2xlcywNCisgI3doaWNoICAg
YWxsb3dzICBvdmVyd3JpdGUgIGxvY2FsICBmaWxlcyAgZnJvbSAgcmVtb3Rl
ICBmdHAgIHNpdGUgIHdpdGgNCisgI3Blcm1pc3Npb25zICBvZiAgdGhlICB1
c2VyICB3aG8gdXNlcyBtaXJyb3IuIFRoZW4gcmV0cmlldmluZyBkaXJlY3Rv
cnkNCisgI2xpc3RpbmcgIG1pcnJvciAgZG9lc24ndCAgY2hlY2sgIGZpbGVu
YW1lIG9yIGRpcmVjdG9yeSBuYW1lIHRvIGNvbnRhaW4NCisgIyIuLiIgIG9y
ICAiXCIgIFRoaXMgIGFsbG93cyAgdG8gY3JlYXRlIG9yIG92ZXJ3cml0ZSBm
aWxlcyBpbiBkaXJlY3RvcnkNCisgI2RpZmZlcmVudCBmcm9tIGRlc3RpbmF0
aW9uLg0KKyAjDQorICNUbyAgc2ltcGx5ICB0ZXN0ICB0aGlzICBidWcgeW91
IGNhbiBjcmVhdGUgIiAuLiIgZGlyZWN0b3J5IG9uIHlvdXIgZnRwDQorICNz
aXRlICBhbmQgIG1pcnJvciAgeW91ciAgc2l0ZS4gIE1pcnJvciAgd2lsbCBj
cmVhdGUgdGVtcG9yYXJ5IGZpbGVzIGluDQorICNkaXJlY3RvcnkgIG9uZSAg
bGV2ZWwgIGhpZ2hlciAgdGhlbiAgc3BlY2lmeWVkLiAgVGhpcyB3YXkgeW91
IGNvdWxkbid0DQorICNvdmVyd3JpdGUgIHNvbWUgdXNlZnVsIGluZm9ybWF0
aW9uLCBidXQgdGhpcyBtYXkgYmUgdXNlZCwgZm9yIGV4YW1wbGUsDQorICN0
byBmaWxsIG91dCAvIGRpcmVjdG9yeSAoaWYgbWlycm9yIGlzIHJhbiBmcm9t
IHJvb3QpLg0KKyAjDQorICNCdXQgIHdpdGggcHV0dGluZyBsaXR0bGUgY2hh
bmdlcyBpbnRvIHlvdSBmdHBkIChmb3IgZXhhbXBsZSBtYWtpbmcgaGltDQor
ICNjaGFuZ2UgJ1wnIHRvICcvJyBvbiBsaXN0aW5ncykgeW91IGNhbiBmb3Jj
ZSBtaXJyb3IgdG8gb3ZlcndyaXRlIF9hbnlfDQorICNmaWxlIHdpdGggcGVy
bWlzc2lvbnMgb2YgbWlycm9yIHVzZXIgdGhlbiBoZSBtaXJyb3JzIHlvdXIg
ZnRwIHNpdGUuDQorICMNCisgIw0KKyAjVGVzdGVkIHdpdGg6DQorICMkIG1p
cnJvciAtdg0KKyAjJElkOiBtaXJyb3IucGwsdiAyLjkgMTk5OC8wNS8yOSAx
OTowMTowNyBsbWptIEV4cCBsbWptICQNCisgDQorIAkJaWYoICRzcmNfcGF0
aCA9fiAvXHcqXC5cLlwvLyl7DQorICAgICAgICAgICAgICAgICAgICAgICAg
ICZtc2coICRsb2csICJXQVJOSU5HOiBCQUQgZGlyIGRldGVjdGVkLCBza2lw
cGluZzogJHNyY19wYXRoXG4iICk7DQorIAkJCW5leHQ7DQorIAkJfQ0KKyAj
RU5EIGpjcEBFVW5ldC5wdA0KICAJCWlmKCAkZ2V0X2ZpbGUgKXsNCiAgCQkJ
JHNyY2kgPSAkcmVtb3RlX21hcHsgJHNyY19wYXRoIH07DQogIAkJfQ0K
--2126599937-815788345-940425712=:10947--
