[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Patch to harden config.guess [was Re: Security vulnerability in auto
From: |
Akim Demaille |
Subject: |
Re: Patch to harden config.guess [was Re: Security vulnerability in automake] |
Date: |
11 Jun 2002 10:28:06 +0200 |
User-agent: |
Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Honest Recruiter) |
|Here's a patch that I wrote to address that security "hole" in
|config.guess. I sent it to address@hidden on June 4, 2002 but
|have not heard from them since. The patch works with GNU config.guess
|2002-05-29, available at ftp://ftp.gnu.org/pub/gnu/config/config.guess
|
|
|The patch tries to ensure that config.guess will only produce
|non-existent dummy filenames. It generates dummy filenames by checking
|the existence of dummy-$$-n and dummy-$$-n.{c,o,rel,s}, where n=1 and
|keeps incrementing, until no such files exist.
|
|
|This doesn't necessarily prevent the symlink attack, but I believe
|it'll harden config.guess signficantly. Also, I used this method
|instead of generating a random hash value because I think we can't
|assume that config.guess will always run on hosts with md5sum or cksum
|available.
|
|
|I'm not an expert at portable Bourne shell scripting, and there may be
|other issues with the patch, so if possible, please let me know what
|you think. Thank you.
|
|
|Lawrence
All this discussion ought to be where the config.* claim it should be,
i.e., not here.
~/src/bison-exp % config/config.guess --help nostromo Err 2
Usage: config/config.guess [OPTION]
Output the configuration name of the system `config.guess' is run on.
Operation modes:
-h, --help print this help, then exit
-t, --time-stamp print date of last modification, then exit
-v, --version print version number, then exit
Report bugs and patches to <address@hidden>.
Please, resent your patch there.