[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerability in libtool 1.5

From: Scott James Remnant
Subject: Re: Vulnerability in libtool 1.5
Date: Sat, 03 Jan 2004 04:17:28 +0000

On Fri, 2004-01-02 at 22:13, Stefan Nordhausen wrote:

> In ltmain.in, libtool insecurely creates a temporary directory which can be 
> exploited by an attacker to overwrite/create/delete files with the privileges 
> of the user running ltmain.in.
> Possible exploit: Create a few thousand symlinks numbered /tmp/libtool-1 to 
> /tmp/libtool-50000 that point to /home/foobar (if user foobar will be running 
> ltmain.in). Then, line 5587 of ltmain.in which reads
>     ${rm}r "$tmpdir"
> will be translated into
>     rm -r "/home/foobar"
> which will probably be a very unpleasant experience for Mr. foobar. I haven't 
> tried this out (duh), but I think you get the point: this one can be really 
> nasty.
$tmpdir will be "/tmp/libtool-1", not "/home/foobar" so the command run
will be:

        rm -f "/tmp/libtool-1"

Which will only remove the symlink.  Pointing the symlink at anything
other than a directory will cause the mkdir to fail, even with -p. 
There's no other instance of any rm command, so the most devastating
thing they can do is cause the temporary output files to not be deleted.

RedHat patch libtool with a far better solution to this that attempts to
use mktemp to generate a unique name instead.  This seems to originate
from Owen Taylor, Oron Peled and Nalin Dahyabhai.  (Attached for

Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

--- libtool-1.5/ltmain.in.mktemp        2003-04-14 17:58:24.000000000 -0400
+++ libtool-1.5/ltmain.in       2003-04-24 18:26:18.000000000 -0400
@@ -5569,7 +5569,13 @@
            if test "$finalize" = yes && test -z "$run"; then
              test -n "$TMPDIR" && tmpdir="$TMPDIR"
-             tmpdir="$tmpdir/libtool-$$"
+             tmpdir_mktemp=`mktemp -d $tmpdir/libtool-XXXXXX 2> /dev/null`
+             if test "$?" = 0 ; then
+               tmpdir="$tmpdir_mktemp"
+               unset tmpdir_mktemp
+              else
+               tmpdir="$tmpdir/libtool-$$"
+             fi
              if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
                $echo "$modename: error: cannot create temporary directory 
\`$tmpdir'" 1>&2

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]