[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Patch to harden config.guess [was Re: Security vulnerability in automake

From: Lawrence Teo
Subject: Patch to harden config.guess [was Re: Security vulnerability in automake]
Date: Mon, 10 Jun 2002 16:53:37 -0400

Here's a patch that I wrote to address that security "hole" in config.guess. I sent it to address@hidden on June 4, 2002 but have not heard from them since. The patch works with GNU config.guess 2002-05-29, available at

The patch tries to ensure that config.guess will only produce non-existent dummy filenames. It generates dummy filenames by checking the existence of dummy-$$-n and dummy-$$-n.{c,o,rel,s}, where n=1 and keeps incrementing, until no such files exist.

This doesn't necessarily prevent the symlink attack, but I believe it'll harden config.guess signficantly. Also, I used this method instead of generating a random hash value because I think we can't assume that config.guess will always run on hosts with md5sum or cksum available.

I'm not an expert at portable Bourne shell scripting, and there may be other issues with the patch, so if possible, please let me know what you think. Thank you.


Lawrence Teo
lcteo at uncc dot edu

Chat with friends online, try MSN Messenger:

Attachment: config-symlink.diff.gz
Description: application/gzip

reply via email to

[Prev in Thread] Current Thread [Next in Thread]