[33259] in bugtraq
Re: symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower)
daemon@ATHENA.MIT.EDU (AntiVir Support)
Tue Jan 27 13:09:13 2004
Date: Tue, 27 Jan 2004 15:55:03 +0100
From: AntiVir Support <support@antivir.de>
To: bugtraq@securityfocus.com
Message-ID: <20040127145503.ALLYOURBASEAREBELONGTOUS.X22531@hbedv.net>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="RLVVO53zhS75EYih"
Content-Disposition: inline
In-Reply-To: <20040113183730.3885.qmail@www.securityfocus.com>
--RLVVO53zhS75EYih
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Update Information:
-------------------
On 14 January 2004 we provided a new version of our software that was no=20
longer vulnerable to the exploit posted by <l0om@excluded.org>. This=20
version was 2.0.9-11.
It was later determined that a more aggressive brute force symlink=20
attack would be possible with this version. Therefore, on 15 January=20
2004 we provided another new version of our software that no longer was=20
vulnerable to any symlink attacks using the temporary PID files. This=20
version was 2.0.9-12. Users were able to attain the updated versions=20
using the internet updater:
$ antivir --update
or by downloading the latest software package from the website:
http://www.antivir.de/download/download.htm
Users may check their currently installed version by running:
$ antivir --version
The sigificant version information is:
product version: 2.0.9-12
This version and all subsequent versions are not vulnerable to any=20
symlink attacks using the temporary PID files.
Solution Information:
---------------------
Previous versions had created temporary files without first checking if
the file already existed. A check for existing files has now been added.
If the file exists, it is removed. A new file is then created using the
exclusive flag. If this is unsuccessful, no temporary file will be created.
Users should not use an NFS mount for AntiVir temporary files since file
locking over NFS does not work on most implementations. As default,
AntiVir uses /tmp or /var/tmp for temporary files.
Addional Information:
---------------------
It should be noted that H+BEDV Datentechnik GmbH was not first contacted
by <l0om@excluded.org>. We learned of the problem through the bugtraq
mailing list.
We ask that all security-related problems be directed to=20
<security@antivir.de> before being posted publicly. This gives us a=20
chance to evaluate the problem and determine a course of action without=20
putting our users at risk. We appreciate your cooperation.
--=20
AntiVir Support
H+BEDV Datentechnik GmbH
<mailto:support@antivir.de>
Lindauer Strasse 21, 88069 Tettnang, Germany
Tel.: +49 (0)7542 500-0
Fax : +49 (0)7542 52510
<http://www.antivir.de>
--RLVVO53zhS75EYih
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAFnvHLd6UFw+CHC4RAoceAKC/ythaBVxh6+LUbPeCJ5ZsmPkCkgCeOed5
oaZ43Qzw5bBs4MX/FMLhB5Q=
=jLgp
-----END PGP SIGNATURE-----
--RLVVO53zhS75EYih--
