bug-libtool
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] Re: Vulnerability in libtool 1.5

From: Scott James Remnant
Subject: [FYI] Re: Vulnerability in libtool 1.5
Date: Sat, 03 Jan 2004 14:44:57 +0000 
On Sat, 2004-01-03 at 10:30, Stefan Nordhausen wrote:

> On Saturday 03 January 2004 05:17, you wrote:
> > There's no other instance of any rm command, so the most devastating
> > thing they can do is cause the temporary output files to not be deleted.
> 
> This one is wrong though. Assuming the user running ltmain is root: You 
> create 
> symlinks to /home. This will cause mkdir -p to be happy, but chmod 700 will 
> _follow_ symlinks and chmod /home to 700. As a result users will not be able 
> to access their home directories.
> 
This is true.

> > RedHat patch libtool with a far better solution to this that attempts to
> > use mktemp to generate a unique name instead.
> 
> But the patch provided by you still contains this line:
>   if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir";
> Due to the -p option the call to mkdir remains insecure on systems where 
> mktemp is not installed.
> 
I'm fairly sure we've never had that patch submitted to us, so I don't
think we can commit it?  I'm also not generally keen on relying on the
behaviour of a non-standard utility like mktemp.

OTOH I cannot think of any reason that the '-p' should be there, it
isn't even a standard mkdir option.  Committed.

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?


Index: ChangeLog
===================================================================
RCS file: /cvsroot/libtool/libtool/ChangeLog,v
retrieving revision 1.1361
diff -u -r1.1361 ChangeLog
--- ChangeLog   2 Jan 2004 23:10:52 -0000       1.1361
+++ ChangeLog   3 Jan 2004 14:43:21 -0000
@@ -1,3 +1,11 @@
+2004-01-03  Stefan Nordhausen  <address@hidden>
+       Scott James Remnant  <address@hidden>
+
+       * m4/ltmain.in: Don't use the mkdir -p option when creating a
+       temporary output directory so a symlink attack can't be used to
+       arbitrarily chmod other directories on the system if libtool
+       gets run as root.
+
 2004-01-02  Peter O'Gorman  <address@hidden>
 
        * m4/libtool.m4: Ensure that ${ZSH_VERSION+set} is properly escaped.
Index: ltmain.in
===================================================================
RCS file: /cvsroot/libtool/libtool/ltmain.in,v
retrieving revision 1.364
diff -u -r1.364 ltmain.in
--- ltmain.in   2 Jan 2004 23:04:21 -0000       1.364
+++ ltmain.in   3 Jan 2004 14:43:27 -0000
@@ -5857,7 +5857,7 @@
              tmpdir="/tmp"
              test -n "$TMPDIR" && tmpdir="$TMPDIR"
              tmpdir="$tmpdir/libtool-$$"
-             if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
+             if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
              else
                $echo "$modename: error: cannot create temporary directory 
\`$tmpdir'" 1>&2
                continue

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to
[Prev in Thread] Current Thread [Next in Thread]