Freehackers'labs

11/10/2008

12:23 AM Yzis Bug #413: symlink attack vulnerability

Hi, The return value of the file deletion is not being checked, so yzis goes happily on as before if the file can't be deleted. This is the case when the symlink doesn't belong to the user running yzis. And maybe there is still a race condit...

11/06/2008

11:34 PM Yzis Bug #413: symlink attack vulnerability

Hi libyzis is vulnerable to a symlink attack. YDebugBackend writes to "/tmp/yzisdebug-$USER.log". If a malicious user creates a symlink there, he will be able to overwrite files owned by the user running yzis. In 1.0-alpha1 yzis will exit...

07/15/2008

11:42 PM Yzis Bug #307: uselessly linked libraries

While packaging yzis for Debian I get the warnings below. It seems parts of yzis are linked against libraries, wich symbols aren't used. dpkg-shlibdeps: warning: dependency on libgcc_s.so.1 could be avoided if "debian/libyzis0/usr/lib/libyzis.s...