FROM: Joseph S. Myers DATE: 03/13/2000 10:10:06 SUBJECT: libtool /tmp security Libtool`s ltmain.in / ltmain.sh attempts to create temporary files
securely by using a private directory in /tmp. It fails. The following
applies to the current libtool CVS, and to libtool 1.3.4.
The relevant code is:
tmpdir="/tmp"
test -n "$TMPDIR" && tmpdir="$TMPDIR"
tmpdir="$tmpdir/libtool-$$"
if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
However, mkdir -p will succeed if the directory already exists - or, on
some operating systems, if it is a symlink to a directory that exists.
The attacker may create some symlinks in /tmp pointing to a directory that
the user running libtool owns; say, / if that user is root; and in due
course it will be chmoded to 700 (in the case of /, a denial of service).
They may then, by winning a race, replace the symlink by a directory of
their own, mode 777, and at a suitable point replace the output file by
one they control; or, depending on what the relink_command does with its
output file, use a symlink to overwrite an arbitrary file the user running
libtool can write to. This security problem applies to any libtool-using
package where the relevant code gets used. If the local mkdir -p doesn`t
like symlinks to directories (some tests suggest that GNU mkdir 4.0q will
accept them, but mkdir on Solaris 2.6 won`t), a race also needs to be won
between the mkdir and the chmod - so that a directory owned by the hostile
user is replaced by a symlink to a directory owned by the victim.
mkdir should be used without -p, and either with -m 700 or an appropriate
umask set since otherwise a race renders the restriction on permissions by
chmod of limited use.
--
Joseph S. Myers
<EMAIL: PROTECTED>
|