[Fwd: Re: Symlink Vulnerability in GNU libtool <1.5.2]

seth vidal <skvidal@xxxxxxxxxxxx> · Fri, 06 Feb 2004 02:24:09 -0500

libtool - vulnerability, see attached.

in 7.3 it looks like more or less the same patch as attached (provided
the attached patch works), except that it should start around line 4320
in /usr/share/libtool/ltmain.sh instead of 5673

looks like debian has a patch out for this one, too.

And I expect one for rhl 9 too. - starting around line 4457 - same file.

-sv

--- Begin Message ---

To: "Joseph S. Myers" <jsm@xxxxxxxxxxxxxxxx>
Subject: Re: Symlink Vulnerability in GNU libtool <1.5.2
From: Scott James Remnant <scott@xxxxxxxxxxxx>
Date: Tue, 03 Feb 2004 20:33:58 +0000
Cc: bugtraq@xxxxxxxxxxxxxxxxx, Libtool Bugs <bug-libtool@xxxxxxx>, Libtool Patches <libtool-patches@xxxxxxx>
Delivered-to: skvidal@phy.duke.edu
Delivered-to: mailing list bugtraq@securityfocus.com
Delivered-to: moderator for bugtraq@securityfocus.com
In-reply-to: <Pine.LNX.4.58.0402030928020.7123@digraph.polyomino.org.uk>





Mailing-list: contact bugtraq-help@securityfocus.com; run by ezmlm
References: <4019B011.5010405@informatik.hu-berlin.de>	 <Pine.LNX.4.58.0402030928020.7123@digraph.polyomino.org.uk>

On Tue, 2004-02-03 at 09:47, Joseph S. Myers wrote:

> On Fri, 30 Jan 2004, Stefan Nordhausen wrote:
> > Solution:
> > Updating to libtool 1.5.2 (the current stable release) will eliminate
> > the vulnerability. If you want to stick with your old version of libtool
> > you can easily fix this bug yourself. In "ltmain.in" (or file "libtool", 
> > whichever applies for you) you should replace the line:
> > 
> The chmod has a race (that access to the temporary directory could be
> gained after it is created but before it is chmoded)
> 
Would this patch be sufficient?  Gary et al. okay to apply if it is?

----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<----
2003-02-03  Scott James Remnant  <scott@xxxxxxxxxxxx>

	* ltmain.in: Create temporary directory under a strict umask
	rather than running chmod afterwards, preventing a race
	condition where the directory could be replaced with a symbolic
	link in the time between the two commands.

diff -u -r1.334.2.20 ltmain.in

--- ltmain.in   3 Feb 2004 19:55:29 -0000       1.334.2.20
+++ ltmain.in   3 Feb 2004 20:29:07 -0000
@@ -5673,11 +5673,15 @@
              tmpdir="/tmp"
              test -n "$TMPDIR" && tmpdir="$TMPDIR"
              tmpdir="$tmpdir/libtool-$$"
-             if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
+             save_umask=`umask`
+             umask 0077
+             if $mkdir "$tmpdir"; then
+               umask $save_umask
              else
+               umask $save_umask
                $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
                continue
              fi
              file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
              outputname="$tmpdir/$file"
              # Replace the output file specification.
---->8-------->8-------->8-------->8-------->8-------->8-------->8-------->8----

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

Attachment:
signature.asc

Description: This is a digitally signed message part

--- End Message ---




