On Fri, 30 Jan 2004, Stefan Nordhausen wrote: > Solution: > Updating to libtool 1.5.2 (the current stable release) will eliminate > the vulnerability. If you want to stick with your old version of libtool > you can easily fix this bug yourself. In "ltmain.in" (or file "libtool", > whichever applies for you) you should replace the line: > > if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then : > > with > > if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then : The chmod has a race (that access to the temporary directory could be gained after it is created but before it is chmoded) - which I pointed out when I reported this security bug four years ago <http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405> - so is of limited security value. Alexandre Oliva's patch at that time (<orsnxk8oqu.fsf@garnize.lsd.ic.unicamp.br> on libtool-patches) used umask to avoid that problem, but wasn't committed (an entirely separate patch was committed under that log message). -- Joseph S. Myers jsm@polyomino.org.uk
