Bugtraq mailing list archives

Re: Symlink Vulnerability in GNU libtool <1.5.2

From: Scott James Remnant <scott () netsplit com>
Date: Tue, 03 Feb 2004 20:33:58 +0000

On Tue, 2004-02-03 at 09:47, Joseph S. Myers wrote:

On Fri, 30 Jan 2004, Stefan Nordhausen wrote:

Solution:
Updating to libtool 1.5.2 (the current stable release) will eliminate
the vulnerability. If you want to stick with your old version of libtool
you can easily fix this bug yourself. In "ltmain.in" (or file "libtool", 
whichever applies for you) you should replace the line:

The chmod has a race (that access to the temporary directory could be
gained after it is created but before it is chmoded)

Would this patch be sufficient?  Gary et al. okay to apply if it is?

----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<----
2003-02-03  Scott James Remnant  <scott () netsplit com>

        * ltmain.in: Create temporary directory under a strict umask
        rather than running chmod afterwards, preventing a race
        condition where the directory could be replaced with a symbolic
        link in the time between the two commands.

diff -u -r1.334.2.20 ltmain.in
--- ltmain.in   3 Feb 2004 19:55:29 -0000       1.334.2.20
+++ ltmain.in   3 Feb 2004 20:29:07 -0000
@@ -5673,11 +5673,15 @@
              tmpdir="/tmp"
              test -n "$TMPDIR" && tmpdir="$TMPDIR"
              tmpdir="$tmpdir/libtool-$$"
-             if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
+             save_umask=`umask`
+             umask 0077
+             if $mkdir "$tmpdir"; then
+               umask $save_umask
              else
+               umask $save_umask
                $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
                continue
              fi
              file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
              outputname="$tmpdir/$file"
              # Replace the output file specification.
---->8-------->8-------->8-------->8-------->8-------->8-------->8-------->8----

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Symlink Vulnerability in GNU libtool <1.5.2 Stefan Nordhausen (Feb 02)
- Re: Symlink Vulnerability in GNU libtool <1.5.2 Joseph S. Myers (Feb 03)
  - Re: Symlink Vulnerability in GNU libtool <1.5.2 Scott James Remnant (Feb 04)
  - Re: Symlink Vulnerability in GNU libtool <1.5.2 Stefan Nordhausen (Feb 05)
- Re: Symlink Vulnerability in GNU libtool <1.5.2 Stefan Nordhausen (Feb 03)
- Re: Symlink Vulnerability in GNU libtool <1.5.2 jsm (Feb 05)