[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200807250317.30880.rbu@gentoo.org>
Date: Fri, 25 Jul 2008 03:17:08 +0200
From: Robert Buchholz <rbu@...too.org>
To: full-disclosure@...ts.grok.org.uk,
"Steven M. Christey" <coley@...us.mitre.org>
Cc: vim-dev@....org, bugtraq@...urityfocus.com, bugs@....org
Subject: Re: Vim: Insecure Temporary File Creation During
Build: Arbitrary Code Execution
On Friday 18 July 2008, Jan Minář wrote:
...
> 3. Vulnerability
>
> During the build process, a temporary file with a predictable name is
> created in the ``/tmp'' directory. This code is run when Vim is
> being build with Python support:
>
> src/configure.in:
>
> 677 dnl -- we need to examine Python's
> config/Makefile too 678 dnl see what the interpreter is
> built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs,
> 680 [
> 681 tmp_mkf="/tmp/Makefile-conf$$"
> (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
> >${tmp_mkf} 683 __:
> 684 @echo "python_MODLIBS='$(MODLIBS)'"
> 685 @echo "python_LIBS='$(LIBS)'"
> 686 @echo "python_SYSLIBS='$(SYSLIBS)'"
> 687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
> 688 eof
> 689 dnl -- delete the lines from make about
> Entering/Leaving directory
> (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
> ${tmp_mkf} __ | sed '/ directory /d'`"
> 691 rm -f ${tmp_mkf}
>
> The attacker has to create the temporary file
> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In
> the time between (1) and (2), arbitrary commands can be written to
> the file. They will be executed at (2).
The commands do not have to be written there between (1) and (2), they
can be in the file long before the ./configure was started -- just
because the script does care whether it can write to the file at all.
So unlike stated in the advisory, and in CVE-2008-3294, the issue does
not involve a race condition if the attacker would choose to create a
644 file.
Robert
Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists