[33473] in bugtraq
Re: Symlink Vulnerability in GNU libtool <1.5.2
daemon@ATHENA.MIT.EDU (Scott James Remnant)
Fri Feb 6 13:30:41 2004
From: Scott James Remnant <scott@netsplit.com>
To: "Joseph S. Myers" <jsm@polyomino.org.uk>
Cc: bugtraq@securityfocus.com, Libtool Bugs <bug-libtool@gnu.org>,
Libtool Patches <libtool-patches@gnu.org>
In-Reply-To: <Pine.LNX.4.58.0402030928020.7123@digraph.polyomino.org.uk>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-UwDLgg4hDwheSMmRXyhP"
Message-Id: <1075840438.20240.160.camel@descent.netsplit.com>
Mime-Version: 1.0
Date: Tue, 03 Feb 2004 20:33:58 +0000
--=-UwDLgg4hDwheSMmRXyhP
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Tue, 2004-02-03 at 09:47, Joseph S. Myers wrote:
> On Fri, 30 Jan 2004, Stefan Nordhausen wrote:
> > Solution:
> > Updating to libtool 1.5.2 (the current stable release) will eliminate
> > the vulnerability. If you want to stick with your old version of libtoo=
l
> > you can easily fix this bug yourself. In "ltmain.in" (or file "libtool"=
,=20
> > whichever applies for you) you should replace the line:
> >=20
> The chmod has a race (that access to the temporary directory could be
> gained after it is created but before it is chmoded)
>=20
Would this patch be sufficient? Gary et al. okay to apply if it is?
----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8=
<----
2003-02-03 Scott James Remnant <scott@netsplit.com>
* ltmain.in: Create temporary directory under a strict umask
rather than running chmod afterwards, preventing a race
condition where the directory could be replaced with a symbolic
link in the time between the two commands.
diff -u -r1.334.2.20 ltmain.in
--- ltmain.in 3 Feb 2004 19:55:29 -0000 1.334.2.20
+++ ltmain.in 3 Feb 2004 20:29:07 -0000
@@ -5673,11 +5673,15 @@
tmpdir=3D"/tmp"
test -n "$TMPDIR" && tmpdir=3D"$TMPDIR"
tmpdir=3D"$tmpdir/libtool-$$"
- if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
+ save_umask=3D`umask`
+ umask 0077
+ if $mkdir "$tmpdir"; then
+ umask $save_umask
else
+ umask $save_umask
$echo "$modename: error: cannot create temporary directory =
\`$tmpdir'" 1>&2
continue
fi
file=3D`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
outputname=3D"$tmpdir/$file"
# Replace the output file specification.
---->8-------->8-------->8-------->8-------->8-------->8-------->8-------->=
8----
Scott
--=20
Have you ever, ever felt like this?
Had strange things happen? Are you going round the twist?
--=-UwDLgg4hDwheSMmRXyhP
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQBAIAW2IexP3IStZ2wRAin9AJ9Mj85MPktW6teW6Pz0P2Z6Kh9dMgCfQf8b
zeItGZpFMKD25WRSoTbuFRA=
=LFg6
-----END PGP SIGNATURE-----
--=-UwDLgg4hDwheSMmRXyhP--
