[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] Re: Vulnerability in libtool 1.5
From: |
Scott James Remnant |
Subject: |
[FYI] Re: Vulnerability in libtool 1.5 |
Date: |
Sat, 03 Jan 2004 14:44:57 +0000 |
On Sat, 2004-01-03 at 10:30, Stefan Nordhausen wrote:
> On Saturday 03 January 2004 05:17, you wrote:
> > There's no other instance of any rm command, so the most devastating
> > thing they can do is cause the temporary output files to not be deleted.
>
> This one is wrong though. Assuming the user running ltmain is root: You
> create
> symlinks to /home. This will cause mkdir -p to be happy, but chmod 700 will
> _follow_ symlinks and chmod /home to 700. As a result users will not be able
> to access their home directories.
>
This is true.
> > RedHat patch libtool with a far better solution to this that attempts to
> > use mktemp to generate a unique name instead.
>
> But the patch provided by you still contains this line:
> if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir";
> Due to the -p option the call to mkdir remains insecure on systems where
> mktemp is not installed.
>
I'm fairly sure we've never had that patch submitted to us, so I don't
think we can commit it? I'm also not generally keen on relying on the
behaviour of a non-standard utility like mktemp.
OTOH I cannot think of any reason that the '-p' should be there, it
isn't even a standard mkdir option. Committed.
Scott
--
Have you ever, ever felt like this?
Had strange things happen? Are you going round the twist?
Index: ChangeLog
===================================================================
RCS file: /cvsroot/libtool/libtool/ChangeLog,v
retrieving revision 1.1361
diff -u -r1.1361 ChangeLog
--- ChangeLog 2 Jan 2004 23:10:52 -0000 1.1361
+++ ChangeLog 3 Jan 2004 14:43:21 -0000
@@ -1,3 +1,11 @@
+2004-01-03 Stefan Nordhausen <address@hidden>
+ Scott James Remnant <address@hidden>
+
+ * m4/ltmain.in: Don't use the mkdir -p option when creating a
+ temporary output directory so a symlink attack can't be used to
+ arbitrarily chmod other directories on the system if libtool
+ gets run as root.
+
2004-01-02 Peter O'Gorman <address@hidden>
* m4/libtool.m4: Ensure that ${ZSH_VERSION+set} is properly escaped.
Index: ltmain.in
===================================================================
RCS file: /cvsroot/libtool/libtool/ltmain.in,v
retrieving revision 1.364
diff -u -r1.364 ltmain.in
--- ltmain.in 2 Jan 2004 23:04:21 -0000 1.364
+++ ltmain.in 3 Jan 2004 14:43:27 -0000
@@ -5857,7 +5857,7 @@
tmpdir="/tmp"
test -n "$TMPDIR" && tmpdir="$TMPDIR"
tmpdir="$tmpdir/libtool-$$"
- if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
+ if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
else
$echo "$modename: error: cannot create temporary directory
\`$tmpdir'" 1>&2
continue
signature.asc
Description: This is a digitally signed message part
- [FYI] Re: Vulnerability in libtool 1.5,
Scott James Remnant <=