Re: Vulnerability in libtool 1.5

[Stefan Nordhausen]

On Saturday 03 January 2004 05:17, you wrote:
> Which will only remove the symlink.  Pointing the symlink at anything
> other than a directory will cause the mkdir to fail, even with -p.

You are right. I shouldn't try to write exploits so late in the evening.


> There's no other instance of any rm command, so the most devastating
> thing they can do is cause the temporary output files to not be deleted.

This one is wrong though. Assuming the user running ltmain is root: You create 
symlinks to /home. This will cause mkdir -p to be happy, but chmod 700 will 
_follow_ symlinks and chmod /home to 700. As a result users will not be able 
to access their home directories.
You can also attempt to exploit this as a race condition: Symlinks to 
/tmp/whatever will cause a directory to be created. When that directory 
appears you simply _change_ your symlink to point somewhere else. If you're 
fast enough you can set any file on the system to mode 700 (very bad if that 
hits /bin/bash or /bin/mkdir or ...).


> RedHat patch libtool with a far better solution to this that attempts to
> use mktemp to generate a unique name instead.

But the patch provided by you still contains this line:
  if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir";
Due to the -p option the call to mkdir remains insecure on systems where 
mktemp is not installed.

Regards
Stefan