[asterisk-bugs] [JIRA] (ASTERISK-30213) Make crypto_load() reentrant and handle symlinks correctly

Friendly Automation (JIRA) noreply at issues.asterisk.org
Mon Oct 10 10:15:10 CDT 2022


    [ https://issues.asterisk.org/jira/browse/ASTERISK-30213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=260423#comment-260423 ] 

Friendly Automation commented on ASTERISK-30213:
------------------------------------------------

Change 19421 merged by George Joseph:
res_crypto: don't modify fname in try_load_key()

[https://gerrit.asterisk.org/c/asterisk/+/19421|https://gerrit.asterisk.org/c/asterisk/+/19421]

> Make crypto_load() reentrant and handle symlinks correctly
> ----------------------------------------------------------
>
>                 Key: ASTERISK-30213
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-30213
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_crypto
>    Affects Versions: 20.0.0, 19.6.0, 16.28.0, 18.14.0
>            Reporter: Philip Prindeville
>            Assignee: Philip Prindeville
>            Severity: Major
>
> Currently readdir() is called in crypto_load() directly, rather than with the locking protection of ast_file_read_dirs().
> Also, when a symlink is discovered, we should check the ownership of its parent directories for being owned by the running uid or by root.  Lastly, the key file itself should not have other read/write permissions set.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list