Friday, February 22, 2013

lophttpd caching trickery

I added 404-caching to lophttpd, in the hope that
it will result in overall speedup if a lot of clients
try to fetch non-existing files (favicon.ico etc.)

The key for the cache is the first line that is sent,
so once we see this request again, we dont need to parse the
entire header, decode the pathname and stat() it before we send
the error reply. Good, eh?

Thursday, February 14, 2013

Valentine pam_fprintd trickery

Anyone can give your finger by spoofing DBUS signals
to pam_fprintd, effectively bypassing fprintd authentication.
Tested with fprintd 0.41.
darklena is the PoC and the authors have been informed.

Its probably about time to check dbus-glib usage or usage
of DBUS signals in privileged code in general.

[Update:] successfully tested on a vanilla FC16 setup with
fprintd installed from repository and SELinux target config
left as-is: