lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4021439C.50905@informatik.hu-berlin.de>
Date: Wed, 04 Feb 2004 20:10:20 +0100
From: Stefan Nordhausen <deletethis.nordhaus@...ormatik.hu-berlin.de>
To: bugtraq@...urityfocus.com
Cc: bug-libtool@....org
Subject: Re: Symlink Vulnerability in GNU libtool <1.5.2


Joseph S. Myers wrote:
> The chmod has a race (that access to the temporary directory could be
> gained after it is created but before it is chmoded) - which I pointed out
> when I reported this security bug four years ago
> <http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405>

Hm, interesting. That is the exact same bug that I found. As for the
race with chmod: Do you know of a really good way to exploit this one? I
can only think of pretty harmless things to do with this. You could fix
this by using something like:

(umask 077 && mkdir $tmpdir) || exit 1

But once you are at it you should also change the way the name of the
directory is generated. By predicting it an attacker can keep libtool
from creating its temporary directories. That means libtool will not
completely do its job. In contrast to the little chmod race this could
actually be a problem. A fix could be something like:

tmpdir="$tmpdir.$RANDOM.$RANDOM.$RANDOM"

But then again this could all just be paranoia. The chmod race is AFAIK
hardly a risk and the second issue applies to pretty much every shell
script that doesn't use mktemp.

But that's no reason not to fix it. Based on some code from libtool you
would get:


              tmpdir="/tmp"
               test -n "$TMPDIR" && tmpdir="$TMPDIR"
               tmpdir="$tmpdir/libtool-$$.RANDOM.$RANDOM.$RANDOM"
               (umask 077 && $mkdir "$tmpdir") || {
                  $echo "some error message" 1>&2
                  continue
               }


Regards
Stefan Nordhausen



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ