[uWSGI] [SECURITY] patch for potential stack bypassing

Roberto De Ioris roberto at unbit.it
Tue Feb 6 17:22:01 UTC 2018

Hi everyone, the following patch (available for both 2.0 and 2.1) fixes
a potential security vulnerability reported yesterday:


Any modern system should not be vulnerable thanks to out-of-the-box
protections like stack canary and friends. (basically if you pass a path
bigger than PATH_MAX, uWSGI will crash or will trigger a stack corruption

Albeit using it for some kind of useful attack seems very improbable, the
new approach is way more robust than the previous one as it checks for the
path size before calling realpath() too.

Roberto De Ioris

More information about the uWSGI mailing list