Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(dracut-install): file created without restricting permissions #2231

Closed
wants to merge 1 commit into from
Closed

fix(dracut-install): file created without restricting permissions #2231

wants to merge 1 commit into from

Conversation

LaszloGombos
Copy link
Collaborator

@LaszloGombos LaszloGombos commented Feb 23, 2023
edited
Loading

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 23, 2023
View reviewed changes
src/install/dracut-install.c
@@ -682,9 +682,11 @@

_asprintf(&fulldstpath, "%s/lib/dracut/hostonly-files", destrootdir);

f = fopen(fulldstpath, "a");
int fd = open(fulldstpath, O_RDONLY | O_APPEND, 0600);

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This argument to a file access function is derived from [user input (an environment variable)](1) and then passed to open(__path).
@stale
Copy link

stale bot commented Mar 25, 2023

This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.

@stale stale bot added the stale communication is stuck label Mar 25, 2023
@stale stale bot closed this Apr 2, 2023
@LaszloGombos
Copy link
Collaborator Author

CC @bdrung for security eval..

tobhe
tobhe reviewed Aug 24, 2023
View reviewed changes
Copy link

@tobhe tobhe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bdrung forwarded this to me for security review. Diff looks good to me.

@LaszloGombos LaszloGombos mentioned this pull request Mar 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tobhe tobhe tobhe left review comments

@haraldh haraldh Awaiting requested review from haraldh haraldh is a code owner

@danimo danimo Awaiting requested review from danimo

@johannbg johannbg Awaiting requested review from johannbg johannbg is a code owner

Assignees
No one assigned
Labels
stale communication is stuck
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LaszloGombos @tobhe