Re: autoconf potential bug...

bug-autoconf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: autoconf potential bug...

From:	Ben Pfaff
Subject:	Re: autoconf potential bug...
Date:	Tue, 09 Mar 2004 11:02:34 -0800
User-agent:	Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

Shaun Colley <address@hidden> writes:

[...]

> Maybe this is well-known, but when "configure" scripts
> made with autoconf are writing to temp files, they
> sometimes don't check if the file is a symlink (or so
> it seemed to me), so doesn't this present itself as a
> security vulnerability?
>
> As an example, I created a symlink called
> 'config.cache' in the directory of the package I was
> installing, and linked it to /etc/bleh.  [...]

Why would an attacker have permission to write into your
directory?  Temporary file vulnerabilities generally involve
shared directories, like /tmp, not private directories.
-- 
Ben Pfaff 
email: address@hidden
web: http://benpfaff.org

[Prev in Thread]

Current Thread

[Next in Thread]

autoconf potential bug..., Shaun Colley, 2004/03/09
- Re: autoconf potential bug..., Ben Pfaff <=

Prev by Date: yellowTAB Zeta and autoconf 2.59
Next by Date: report
Previous by thread: autoconf potential bug...
Next by thread: ./configure asked me to report this bug to you
Index(es):
- Date
- Thread