On Fri, Jul 25, 2008 at 4:57 PM, Steven M. Christey
<coley (at) linus.mitre (dot) org [email concealed]> wrote:
>
> On Fri, 25 Jul 2008, [UTF-8] Jan Miná�^Y wrote:
>
>> > The commands do not have to be written there between (1) and (2), they
>> > can be in the file long before the ./configure was started -- just
>> > because the script does care whether it can write to the file at all.
>> > So unlike stated in the advisory, and in CVE-2008-3294, the issue does
>> > not involve a race condition if the attacker would choose to create a
>> > 644 file.
>>
>> The file gets truncated in (1). You're wrong, the advisory is right.
>
> Maybe the point here is that if the attacker owns the file and sets 644
> permissions, then the truncation won't happen since ./configure won't have
> the permissions to modify the file.
I stand corrected. I have updated the advisory. Thanks, Robert.
Thanks to Steven for rephrasing.
<coley (at) linus.mitre (dot) org [email concealed]> wrote:
>
> On Fri, 25 Jul 2008, [UTF-8] Jan Miná�^Y wrote:
>
>> > The commands do not have to be written there between (1) and (2), they
>> > can be in the file long before the ./configure was started -- just
>> > because the script does care whether it can write to the file at all.
>> > So unlike stated in the advisory, and in CVE-2008-3294, the issue does
>> > not involve a race condition if the attacker would choose to create a
>> > 644 file.
>>
>> The file gets truncated in (1). You're wrong, the advisory is right.
>
> Maybe the point here is that if the attacker owns the file and sets 644
> permissions, then the truncation won't happen since ./configure won't have
> the permissions to modify the file.
I stand corrected. I have updated the advisory. Thanks, Robert.
Thanks to Steven for rephrasing.
Jan.
[ reply ]