The chmod has a race (that access to the temporary directory could be gained after it is created but before it is chmoded) - which I pointed out when I reported this security bug four years ago <http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405>
Hm, interesting. That is the exact same bug that I found. As for the race with chmod: Do you know of a really good way to exploit this one? I can only think of pretty harmless things to do with this. You could fix this by using something like:
(umask 077 && mkdir $tmpdir) || exit 1
But once you are at it you should also change the way the name of the directory is generated. By predicting it an attacker can keep libtool from creating its temporary directories. That means libtool will not completely do its job. In contrast to the little chmod race this could actually be a problem. A fix could be something like:
tmpdir="$tmpdir.$RANDOM.$RANDOM.$RANDOM"
But then again this could all just be paranoia. The chmod race is AFAIK hardly a risk and the second issue applies to pretty much every shell script that doesn't use mktemp.
But that's no reason not to fix it. Based on some code from libtool you would get:
tmpdir="/tmp" test -n "$TMPDIR" && tmpdir="$TMPDIR" tmpdir="$tmpdir/libtool-$$.RANDOM.$RANDOM.$RANDOM" (umask 077 && $mkdir "$tmpdir") || { $echo "some error message" 1>&2 continue }
Regards Stefan Nordhausen
