[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Patch to harden config.guess [was Re: Security vulnerability in automake
From: |
Lawrence Teo |
Subject: |
Patch to harden config.guess [was Re: Security vulnerability in automake] |
Date: |
Mon, 10 Jun 2002 16:53:37 -0400 |
Here's a patch that I wrote to address that security "hole" in config.guess.
I sent it to address@hidden on June 4, 2002 but have not heard from
them since. The patch works with GNU config.guess 2002-05-29, available at
ftp://ftp.gnu.org/pub/gnu/config/config.guess
The patch tries to ensure that config.guess will only produce non-existent
dummy filenames. It generates dummy filenames by checking the existence of
dummy-$$-n and dummy-$$-n.{c,o,rel,s}, where n=1 and keeps incrementing,
until no such files exist.
This doesn't necessarily prevent the symlink attack, but I believe it'll
harden config.guess signficantly. Also, I used this method instead of
generating a random hash value because I think we can't assume that
config.guess will always run on hosts with md5sum or cksum available.
I'm not an expert at portable Bourne shell scripting, and there may be other
issues with the patch, so if possible, please let me know what you think.
Thank you.
Lawrence
--
Lawrence Teo
lcteo at uncc dot edu
http://www.coe.uncc.edu/~lcteo
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
config-symlink.diff.gz
Description: application/gzip
- Patch to harden config.guess [was Re: Security vulnerability in automake],
Lawrence Teo <=