[asterisk-bugs] [JIRA] (ASTERISK-30213) Make crypto_load() reentrant and handle symlinks correctly
Philip Prindeville (JIRA)
noreply at issues.asterisk.org
Wed Sep 7 14:43:08 CDT 2022
Philip Prindeville created ASTERISK-30213:
---------------------------------------------
Summary: Make crypto_load() reentrant and handle symlinks correctly
Key: ASTERISK-30213
URL: https://issues.asterisk.org/jira/browse/ASTERISK-30213
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Resources/res_crypto
Affects Versions: 18.14.0, 16.28.0, 19.6.0, 20.0.0
Reporter: Philip Prindeville
Severity: Major
Currently readdir() is called in crypto_load() directly, rather than with the locking protection of ast_file_read_dirs().
Also, when a symlink is discovered, we should check the ownership of its parent directories for being owned by the running uid or by root. Lastly, the key file itself should not have other read/write permissions set.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list