[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Vulnerability in libtool 1.5
From: |
Scott James Remnant |
Subject: |
Re: Vulnerability in libtool 1.5 |
Date: |
Sat, 03 Jan 2004 04:17:28 +0000 |
On Fri, 2004-01-02 at 22:13, Stefan Nordhausen wrote:
> In ltmain.in, libtool insecurely creates a temporary directory which can be
> exploited by an attacker to overwrite/create/delete files with the privileges
> of the user running ltmain.in.
*snip*
> Possible exploit: Create a few thousand symlinks numbered /tmp/libtool-1 to
> /tmp/libtool-50000 that point to /home/foobar (if user foobar will be running
> ltmain.in). Then, line 5587 of ltmain.in which reads
> ${rm}r "$tmpdir"
> will be translated into
> rm -r "/home/foobar"
> which will probably be a very unpleasant experience for Mr. foobar. I haven't
> tried this out (duh), but I think you get the point: this one can be really
> nasty.
>
$tmpdir will be "/tmp/libtool-1", not "/home/foobar" so the command run
will be:
rm -f "/tmp/libtool-1"
Which will only remove the symlink. Pointing the symlink at anything
other than a directory will cause the mkdir to fail, even with -p.
There's no other instance of any rm command, so the most devastating
thing they can do is cause the temporary output files to not be deleted.
RedHat patch libtool with a far better solution to this that attempts to
use mktemp to generate a unique name instead. This seems to originate
from Owen Taylor, Oron Peled and Nalin Dahyabhai. (Attached for
reference).
Scott
--
Have you ever, ever felt like this?
Had strange things happen? Are you going round the twist?
--- libtool-1.5/ltmain.in.mktemp 2003-04-14 17:58:24.000000000 -0400
+++ libtool-1.5/ltmain.in 2003-04-24 18:26:18.000000000 -0400
@@ -5569,7 +5569,13 @@
if test "$finalize" = yes && test -z "$run"; then
tmpdir="/tmp"
test -n "$TMPDIR" && tmpdir="$TMPDIR"
- tmpdir="$tmpdir/libtool-$$"
+ tmpdir_mktemp=`mktemp -d $tmpdir/libtool-XXXXXX 2> /dev/null`
+ if test "$?" = 0 ; then
+ tmpdir="$tmpdir_mktemp"
+ unset tmpdir_mktemp
+ else
+ tmpdir="$tmpdir/libtool-$$"
+ fi
if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
else
$echo "$modename: error: cannot create temporary directory
\`$tmpdir'" 1>&2
signature.asc
Description: This is a digitally signed message part