On Friday 25 July 2008, Jan MináÅ? wrote:
> 2008/7/25 Robert Buchholz <rbu (at) gentoo (dot) org [email concealed]>:
> > On Friday 18 July 2008, Jan MináÅ? wrote:
> > ...
> >
> >> 3. Vulnerability
> >>
> >> During the build process, a temporary file with a predictable name
> >> is created in the ``/tmp'' directory. This code is run when Vim
> >> is being build with Python support:
> >>
> >> src/configure.in:
> >>
> >> 677 dnl -- we need to examine Python's
> >> config/Makefile too 678 dnl see what the interpreter is
> >> built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs,
> >> 680 [
> >> 681 tmp_mkf="/tmp/Makefile-conf$$"
> >> (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
> >>
> >> >${tmp_mkf} 683 __:
> >>
> >> 684 @echo "python_MODLIBS='$(MODLIBS)'"
> >> 685 @echo "python_LIBS='$(LIBS)'"
> >> 686 @echo "python_SYSLIBS='$(SYSLIBS)'"
> >> 687 @echo
> >> "python_LINKFORSHARED='$(LINKFORSHARED)'" 688 eof
> >> 689 dnl -- delete the lines from make about
> >> Entering/Leaving directory
> >> (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
> >> ${tmp_mkf} __ | sed '/ directory /d'`"
> >> 691 rm -f ${tmp_mkf}
> >>
> >> The attacker has to create the temporary file
> >> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1).
> >> In the time between (1) and (2), arbitrary commands can be written
> >> to the file. They will be executed at (2).
> >
> > The commands do not have to be written there between (1) and (2),
> > they can be in the file long before the ./configure was started --
> > just because the script does care whether it can write to the file
> > at all. So unlike stated in the advisory, and in CVE-2008-3294, the
> > issue does not involve a race condition if the attacker would
> > choose to create a 644 file.
>
> The file gets truncated in (1). You're wrong, the advisory is right.
Truncation will fail if the configure is not running as root.
Robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
> 2008/7/25 Robert Buchholz <rbu (at) gentoo (dot) org [email concealed]>:
> > On Friday 18 July 2008, Jan MináÅ? wrote:
> > ...
> >
> >> 3. Vulnerability
> >>
> >> During the build process, a temporary file with a predictable name
> >> is created in the ``/tmp'' directory. This code is run when Vim
> >> is being build with Python support:
> >>
> >> src/configure.in:
> >>
> >> 677 dnl -- we need to examine Python's
> >> config/Makefile too 678 dnl see what the interpreter is
> >> built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs,
> >> 680 [
> >> 681 tmp_mkf="/tmp/Makefile-conf$$"
> >> (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
> >>
> >> >${tmp_mkf} 683 __:
> >>
> >> 684 @echo "python_MODLIBS='$(MODLIBS)'"
> >> 685 @echo "python_LIBS='$(LIBS)'"
> >> 686 @echo "python_SYSLIBS='$(SYSLIBS)'"
> >> 687 @echo
> >> "python_LINKFORSHARED='$(LINKFORSHARED)'" 688 eof
> >> 689 dnl -- delete the lines from make about
> >> Entering/Leaving directory
> >> (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
> >> ${tmp_mkf} __ | sed '/ directory /d'`"
> >> 691 rm -f ${tmp_mkf}
> >>
> >> The attacker has to create the temporary file
> >> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1).
> >> In the time between (1) and (2), arbitrary commands can be written
> >> to the file. They will be executed at (2).
> >
> > The commands do not have to be written there between (1) and (2),
> > they can be in the file long before the ./configure was started --
> > just because the script does care whether it can write to the file
> > at all. So unlike stated in the advisory, and in CVE-2008-3294, the
> > issue does not involve a race condition if the attacker would
> > choose to create a 644 file.
>
> The file gets truncated in (1). You're wrong, the advisory is right.
Truncation will fail if the configure is not running as root.
Robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJIiahxAAoJECaaHo/OfoM5UvEP/1b+M5iD/kgEOPnAJWuYvFmz
jaEwIr5VRkkKNF92i3+ei5pchFT3bSCuws2mexkLpFmWHBG6OjtCD2GuzowyKyTK
BbVFO+aLCTfBHj9Z4QcAzDPmb6rD8VaXOcgxt3hAlLpJDv9b93JqgWPXT0zzWFcS
VYX99cNwiFfA11spkLUYFamAjEBzyYwPvh+hZQMHk9ZH5BeWMUrwcwQUGuxlAN2O
k1pFKaYxfzDYz3dHlkSLTmkVM4WtTw8EmwTTqHBUGijSenbGwQTD7ONfPJiHkr58
PvtvtqGm3AUpQ8vQGhkMvL1pjX1x9iy5DUuKi4KE1lgLM5HV/CV212D1KGBL/fQl
qXduCuw192eBTmTlFmBAVz7FoMKgJyLObigkMOAVgsgYJNeQr+KeIaFlSHYbYIfQ
i4RLYQ+sUG5td2ZH5kUPwhRh7BJxKtbiGC4ktULuGWwJ8xFjXQu7+0GcwlyYjyeT
eAWOEIk8x/67CT34JmI02mY5UUObGIa1KF13XN1w3Kh8kyFeYUWTMxbM7ha7P9tn
K9l2dHme0OmEcDu1tF7iV9bfhLc/+sMPufKDOyoMOhQfwOW6jn+AY6t+z+2n34Fx
sedaq20pE7dz+2QsWwi9vI2511IdcD37JZWEhSeyMOTSGfidW4EvWwWEsoQ8FBsd
Pyqau1qQMJyvwjatqM3T
=f8m3
-----END PGP SIGNATURE-----
[ reply ]