automake
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security vulnerability in automake


From: Lawrence Teo
Subject: Re: Security vulnerability in automake
Date: Sun, 02 Jun 2002 14:50:56 -0400

> I was learning Automake last night, and I think I found a security
> vulnerability. I'm not sure if this is already known, but I couldn't
> find it on Bugtraq. The security vulnerability is the insecure
> creation of temporary files in the config.guess script which leads
> to a race condition.

 The config.* files are maintained separately from automake AFAIK.

Oh I see. Thanks. I've found the FTP location for config.guess here:

ftp://ftp.gnu.org/pub/gnu/config/

I think I'll just look around to find the appropriate person/list to
contact.

> 2. Use a random hash value instead of the process ID ($$), which
>   would be the preferred alternative. However, I don't know how
>   feasible it is to do this in a simple, portable way that's
>   consistent with Automake.

 I believe a better way would be to create the temp files in a newly
 created chmod 700'd directory under /tmp. Maybe combined with 2.

Yes I agree. As long as it's significantly different and better from
the current way of creating temp files. I'm pretty surprised to find
that piece of code there, given that the script has been around for
a long time, and used by so many software packages.

Lawrence

--
Lawrence Teo
lcteo at uncc dot edu
http://www.coe.uncc.edu/~lcteo

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com




reply via email to

[Prev in Thread] Current Thread [Next in Thread]