[asterisk-bugs] [JIRA] (ASTERISK-30213) Make crypto_load() reentrant and handle symlinks correctly
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Thu Dec 15 07:06:03 CST 2022
[ https://issues.asterisk.org/jira/browse/ASTERISK-30213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-30213:
-------------------------------------
Target Release Version/s: 20.1.0
> Make crypto_load() reentrant and handle symlinks correctly
> ----------------------------------------------------------
>
> Key: ASTERISK-30213
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-30213
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_crypto
> Affects Versions: 16.28.0, 18.14.0, 19.6.0, 20.0.0
> Reporter: Philip Prindeville
> Assignee: Philip Prindeville
> Severity: Major
> Target Release: 16.30.0, 19.8.0, 20.1.0
>
>
> Currently readdir() is called in crypto_load() directly, rather than with the locking protection of ast_file_read_dirs().
> Also, when a symlink is discovered, we should check the ownership of its parent directories for being owned by the running uid or by root. Lastly, the key file itself should not have other read/write permissions set.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list