[asterisk-bugs] [JIRA] (ASTERISK-30213) Make crypto_load() reentrant and handle symlinks correctly
George Joseph (JIRA)
noreply at issues.asterisk.org
Thu Sep 8 08:04:09 CDT 2022
[ https://issues.asterisk.org/jira/browse/ASTERISK-30213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
George Joseph updated ASTERISK-30213:
-------------------------------------
Status: Open (was: Triage)
> Make crypto_load() reentrant and handle symlinks correctly
> ----------------------------------------------------------
>
> Key: ASTERISK-30213
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-30213
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_crypto
> Affects Versions: 20.0.0, 19.6.0, 16.28.0, 18.14.0
> Reporter: Philip Prindeville
> Severity: Major
>
> Currently readdir() is called in crypto_load() directly, rather than with the locking protection of ast_file_read_dirs().
> Also, when a symlink is discovered, we should check the ownership of its parent directories for being owned by the running uid or by root. Lastly, the key file itself should not have other read/write permissions set.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list