Has CVE-2013-4235 been fixed ？

[cheng362432]

reference：https://bugzilla.redhat.com/show_bug.cgi?id=884658

[hallyn]

I don't see any changes since 2010 to the src/remove_tree.c, so I don't think so. However, I'm not sure the CVE is legitimate. remove_tree() uses lstat() to check for a directory, and only descends non-link directories. Hard links are not allowed for directories.

Knowing Florian, however, I expect I'm misunderstanding something. Would be good to get elaboration.

[Blub]

Assuming remove_tree() is a problem here (because it may be called on the user's home directory from userdel while the user is still logged in (or at least has evil programs running)), these calls happen by-name, so the time between the lstat() and the recursion would give the user a chance to turn the name into a symbolic link right before the opendir() happens. So if this is the a problematic scenario then this should be switched to open->fstat->fdopendir (which I think is also more efficient anyway, so not wrong either way).

[hallyn]

Oh, I was thinking just the link target would be switched. Yeah, that seems worth doing. Thanks.

If one of you has time to float a patch, please leave a note before you start (to avoid duplicate work).

[cheng362432]

Are there any plans to fix this CVE？

[hallyn]

Are there any plans to fix this CVE？

Please feel free to open a PR with a patch.

[edneville]

Since the underlying issue is a user logged in whilst userdel runs, would it make sense to add a script in /etc/shadow-maint/userdel-pre.d/ to logout the user for deletion?

[sweetylz]

Does shadow install the script, or do we need to install it ourselves?

[hallyn]

Does shadow install the script, or do we need to install it ourselves?

It is not being installed by default.

(Doing so would almost certainly be unsafe for some users)

[jhawkins1]

Still fuzzy to me on the current state of this CVE... Various Linux Distros still say it is open and no fix upstream... Based on the discussion in this thread, was this fixed as of 4.11.1 ?