BugTraq
Symlink Vulnerability in GNU libtool <1.5.2 Jan 30 2004 01:14AM
Stefan Nordhausen (deletethis nordhaus informatik hu-berlin de) (3 replies)
Re: Symlink Vulnerability in GNU libtool <1.5.2 Feb 04 2004 05:01AM
jsm polyomino org uk
Re: Symlink Vulnerability in GNU libtool <1.5.2 Feb 03 2004 11:21AM
Stefan Nordhausen (deletethis nordhaus informatik hu-berlin de)
Re: Symlink Vulnerability in GNU libtool <1.5.2 Feb 03 2004 09:47AM
Joseph S. Myers (jsm polyomino org uk) (2 replies)
Re: Symlink Vulnerability in GNU libtool <1.5.2 Feb 04 2004 07:10PM
Stefan Nordhausen (deletethis nordhaus informatik hu-berlin de)
Joseph S. Myers wrote:
> The chmod has a race (that access to the temporary directory could be
> gained after it is created but before it is chmoded) - which I pointed out
> when I reported this security bug four years ago
> <http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405>

Hm, interesting. That is the exact same bug that I found. As for the
race with chmod: Do you know of a really good way to exploit this one? I
can only think of pretty harmless things to do with this. You could fix
this by using something like:

(umask 077 && mkdir $tmpdir) || exit 1

But once you are at it you should also change the way the name of the
directory is generated. By predicting it an attacker can keep libtool
from creating its temporary directories. That means libtool will not
completely do its job. In contrast to the little chmod race this could
actually be a problem. A fix could be something like:

tmpdir="$tmpdir.$RANDOM.$RANDOM.$RANDOM"

But then again this could all just be paranoia. The chmod race is AFAIK
hardly a risk and the second issue applies to pretty much every shell
script that doesn't use mktemp.

But that's no reason not to fix it. Based on some code from libtool you
would get:

tmpdir="/tmp"
test -n "$TMPDIR" && tmpdir="$TMPDIR"
tmpdir="$tmpdir/libtool-$$.RANDOM.$RANDOM.$RANDOM"
(umask 077 && $mkdir "$tmpdir") || {
$echo "some error message" 1>&2
continue
}

Regards
Stefan Nordhausen

[ reply ]
Re: Symlink Vulnerability in GNU libtool <1.5.2 Feb 03 2004 08:33PM
Scott James Remnant (scott netsplit com)


 

Privacy Statement
Copyright 2010, SecurityFocus