On Fri, Jul 18, 2008 at 00:54, Jan Minář <rdancer@xxxxxxxxxxx> wrote: > The attacker has to create the temporary file> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In> the time between (1) and (2), arbitrary commands can be written to the> file. They will be executed at (2). > Patch fixing this vulnerability can be found at the following URL:>> http://www.rdancer.org/vulnerablevim-configure.in.patch Using mktemp is a lot safer than using $$, but the file can still bewritten to between the creation and setup of the file and the eval.Dealing with temporary files in shell scripts is always racy. Thisfixes the easily guessed PID-pattern problem and as mktemp creates itsfile in a hopefully non-shared directory, increases security a greatdeal, but it's still racy. Why not use pipes instead? eval "`cd /usr/lib/python2.4/config && (cat Makefile - <<'eof'__: @echo "python_MODLIBS='$(MODLIBS)'" @echo "python_LIBS='$(LIBS)'" @echo "python_SYSLIBS='$(SYSLIBS)'" @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"eof) | make -f - __ | sed '/ directory /d'`" (I really don't see the point of the sed. Isn't that informationoutput to stderr anyway (in which case it should be suppressed?)) I'm not sure if this requires too much from make and sh, though. Itworks with Bash's sh emulation.
