public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "jistone at redhat dot com" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug libstdc++/104161] Potential Security Vulnerability: remove_all and symbolic link Date: Thu, 27 Jan 2022 01:51:51 +0000 [thread overview] Message-ID: <bug-104161-4-5WAC9DfS3O@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-104161-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104161 Josh Stone <jistone at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jistone at redhat dot com --- Comment #5 from Josh Stone <jistone at redhat dot com> --- You also need to use openat, because O_NOFOLLOW only affects the *trailing* component of the path. That is, if we're removing "/base" and you're down to "/base/foo/bar", I could change "/base/foo" to a symlink and then you'll open "/other/bar".
next prev parent reply other threads:[~2022-01-27 1:51 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-01-21 11:47 [Bug c++/104161] New: " adrien.devresse at metamorphe dot engineering 2022-01-21 13:02 ` [Bug libstdc++/104161] " redi at gcc dot gnu.org 2022-01-21 14:27 ` adrien.devresse at metamorphe dot engineering 2022-01-25 21:09 ` cvs-commit at gcc dot gnu.org 2022-01-26 0:30 ` redi at gcc dot gnu.org 2022-01-27 1:51 ` jistone at redhat dot com [this message] 2022-01-27 8:29 ` redi at gcc dot gnu.org 2022-02-04 23:50 ` cvs-commit at gcc dot gnu.org 2022-02-08 13:40 ` cvs-commit at gcc dot gnu.org 2023-10-04 11:28 ` cvs-commit at gcc dot gnu.org 2023-10-04 11:28 ` cvs-commit at gcc dot gnu.org 2023-10-04 11:28 ` cvs-commit at gcc dot gnu.org 2023-10-04 11:33 ` redi at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-104161-4-5WAC9DfS3O@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).