Re: Vulnerability in libtool 1.5

bug-libtool

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerability in libtool 1.5

From:	Scott James Remnant
Subject:	Re: Vulnerability in libtool 1.5
Date:	Sat, 03 Jan 2004 04:17:28 +0000

On Fri, 2004-01-02 at 22:13, Stefan Nordhausen wrote:

> In ltmain.in, libtool insecurely creates a temporary directory which can be 
> exploited by an attacker to overwrite/create/delete files with the privileges 
> of the user running ltmain.in.
*snip*
> Possible exploit: Create a few thousand symlinks numbered /tmp/libtool-1 to 
> /tmp/libtool-50000 that point to /home/foobar (if user foobar will be running 
> ltmain.in). Then, line 5587 of ltmain.in which reads
>     ${rm}r "$tmpdir"
> will be translated into
>     rm -r "/home/foobar"
> which will probably be a very unpleasant experience for Mr. foobar. I haven't 
> tried this out (duh), but I think you get the point: this one can be really 
> nasty.
> 
$tmpdir will be "/tmp/libtool-1", not "/home/foobar" so the command run
will be:

        rm -f "/tmp/libtool-1"

Which will only remove the symlink.  Pointing the symlink at anything
other than a directory will cause the mkdir to fail, even with -p. 
There's no other instance of any rm command, so the most devastating
thing they can do is cause the temporary output files to not be deleted.

RedHat patch libtool with a far better solution to this that attempts to
use mktemp to generate a unique name instead.  This seems to originate
from Owen Taylor, Oron Peled and Nalin Dahyabhai.  (Attached for
reference).

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

--- libtool-1.5/ltmain.in.mktemp        2003-04-14 17:58:24.000000000 -0400
+++ libtool-1.5/ltmain.in       2003-04-24 18:26:18.000000000 -0400
@@ -5569,7 +5569,13 @@
            if test "$finalize" = yes && test -z "$run"; then
              tmpdir="/tmp"
              test -n "$TMPDIR" && tmpdir="$TMPDIR"
-             tmpdir="$tmpdir/libtool-$$"
+             tmpdir_mktemp=`mktemp -d $tmpdir/libtool-XXXXXX 2> /dev/null`
+             if test "$?" = 0 ; then
+               tmpdir="$tmpdir_mktemp"
+               unset tmpdir_mktemp
+              else
+               tmpdir="$tmpdir/libtool-$$"
+             fi
              if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
              else
                $echo "$modename: error: cannot create temporary directory 
\`$tmpdir'" 1>&2

signature.asc
Description: This is a digitally signed message part

[Prev in Thread]

Current Thread

[Next in Thread]

Vulnerability in libtool 1.5, Stefan Nordhausen, 2004/01/02
- Re: Vulnerability in libtool 1.5, Scott James Remnant <=
  - Re: Vulnerability in libtool 1.5, Stefan Nordhausen, 2004/01/03
    - [FYI] Re: Vulnerability in libtool 1.5, Scott James Remnant, 2004/01/03
    - Re: [FYI] Re: Vulnerability in libtool 1.5, Gary V . Vaughan, 2004/01/04
    - Re: [FYI] Re: Vulnerability in libtool 1.5, Scott James Remnant, 2004/01/05

Prev by Date: Re: ZAQBVO, and did anyone
Next by Date: Re: EXND, do you give
Previous by thread: Vulnerability in libtool 1.5
Next by thread: Re: Vulnerability in libtool 1.5
Index(es):
- Date
- Thread