[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4021439C.50905@informatik.hu-berlin.de>
Date: Wed, 04 Feb 2004 20:10:20 +0100
From: Stefan Nordhausen <deletethis.nordhaus@...ormatik.hu-berlin.de>
To: bugtraq@...urityfocus.com
Cc: bug-libtool@....org
Subject: Re: Symlink Vulnerability in GNU libtool <1.5.2
Joseph S. Myers wrote:
> The chmod has a race (that access to the temporary directory could be
> gained after it is created but before it is chmoded) - which I pointed out
> when I reported this security bug four years ago
> <http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405>
Hm, interesting. That is the exact same bug that I found. As for the
race with chmod: Do you know of a really good way to exploit this one? I
can only think of pretty harmless things to do with this. You could fix
this by using something like:
(umask 077 && mkdir $tmpdir) || exit 1
But once you are at it you should also change the way the name of the
directory is generated. By predicting it an attacker can keep libtool
from creating its temporary directories. That means libtool will not
completely do its job. In contrast to the little chmod race this could
actually be a problem. A fix could be something like:
tmpdir="$tmpdir.$RANDOM.$RANDOM.$RANDOM"
But then again this could all just be paranoia. The chmod race is AFAIK
hardly a risk and the second issue applies to pretty much every shell
script that doesn't use mktemp.
But that's no reason not to fix it. Based on some code from libtool you
would get:
tmpdir="/tmp"
test -n "$TMPDIR" && tmpdir="$TMPDIR"
tmpdir="$tmpdir/libtool-$$.RANDOM.$RANDOM.$RANDOM"
(umask 077 && $mkdir "$tmpdir") || {
$echo "some error message" 1>&2
continue
}
Regards
Stefan Nordhausen
Powered by blists - more mailing lists