[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: autoconf potential bug...
From: |
Ben Pfaff |
Subject: |
Re: autoconf potential bug... |
Date: |
Tue, 09 Mar 2004 11:02:34 -0800 |
User-agent: |
Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux) |
Shaun Colley <address@hidden> writes:
[...]
> Maybe this is well-known, but when "configure" scripts
> made with autoconf are writing to temp files, they
> sometimes don't check if the file is a symlink (or so
> it seemed to me), so doesn't this present itself as a
> security vulnerability?
>
> As an example, I created a symlink called
> 'config.cache' in the directory of the package I was
> installing, and linked it to /etc/bleh. [...]
Why would an attacker have permission to write into your
directory? Temporary file vulnerabilities generally involve
shared directories, like /tmp, not private directories.
--
Ben Pfaff
email: address@hidden
web: http://benpfaff.org