[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch to harden config.guess [was Re: Security vulnerability in auto

From: Akim Demaille
Subject: Re: Patch to harden config.guess [was Re: Security vulnerability in automake]
Date: 11 Jun 2002 10:28:06 +0200
User-agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Honest Recruiter)

|Here's a patch that I wrote to address that security "hole" in
|config.guess. I sent it to address@hidden on June 4, 2002 but
|have not heard from them since. The patch works with GNU config.guess
|2002-05-29, available at
|The patch tries to ensure that config.guess will only produce
|non-existent dummy filenames. It generates dummy filenames by checking
|the existence of dummy-$$-n and dummy-$$-n.{c,o,rel,s}, where n=1 and
|keeps incrementing, until no such files exist.
|This doesn't necessarily prevent the symlink attack, but I believe
|it'll harden config.guess signficantly. Also, I used this method
|instead of generating a random hash value because I think we can't
|assume that config.guess will always run on hosts with md5sum or cksum
|I'm not an expert at portable Bourne shell scripting, and there may be
|other issues with the patch, so if possible, please let me know what
|you think. Thank you.

All this discussion ought to be where the config.* claim it should be,
i.e., not here.

~/src/bison-exp % config/config.guess --help                     nostromo Err 2
Usage: config/config.guess [OPTION]

Output the configuration name of the system `config.guess' is run on.

Operation modes:
  -h, --help         print this help, then exit
  -t, --time-stamp   print date of last modification, then exit
  -v, --version      print version number, then exit

Report bugs and patches to <address@hidden>.

Please, resent your patch there.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]