[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Symlink Vulnerability in GNU libtool <1.5.2
|
From: |
Stefan Nordhausen |
|
Subject: |
Re: Symlink Vulnerability in GNU libtool <1.5.2 |
|
Date: |
Wed, 04 Feb 2004 22:04:10 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113 |
Joseph S. Myers wrote:
> The chmod has a race (that access to the temporary directory could be
> gained after it is created but before it is chmoded) - which I
pointed > out when I reported this security bug four years ago
> <http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405>
Hm, interesting. That is the exact same bug that I found. As for the
race with chmod: Do you know of a really good way to exploit this one? I
can only think of pretty harmless things to do with this. You could fix
this by using something like:
(umask 077 && mkdir $tmpdir) || exit 1
But once you are at it you should also change the way the name of the
directory is generated. By predicting it an attacker can keep libtool
from creating its temporary directories. That means libtool will not
completely do its job. In contrast to the little chmod race this could
actually be a problem. A fix could be something like:
tmpdir="$tmpdir.$RANDOM.$RANDOM.$RANDOM"
But then again this could all just be paranoia. The chmod race is AFAIK
hardly a risk and the second issue applies to pretty much every shell
script that doesn't use mktemp.
But that's no reason not to fix it. Based on some code from libtool you
would get:
tmpdir="/tmp"
test -n "$TMPDIR" && tmpdir="$TMPDIR"
tmpdir="$tmpdir/libtool-$$.RANDOM.$RANDOM.$RANDOM"
(umask 077 && $mkdir "$tmpdir") || {
$echo "some error message" 1>&2
continue
}
Regards
Stefan Nordhausen