2008/7/25 Robert Buchholz <rbu@xxxxxxxxxx>:> On Friday 18 July 2008, Jan Minář wrote:> ...>> 3. Vulnerability>>>> During the build process, a temporary file with a predictable name is>> created in the ``/tmp'' directory. This code is run when Vim is>> being build with Python support:>>>> src/configure.in:>>>> 677 dnl -- we need to examine Python's>> config/Makefile too 678 dnl see what the interpreter is>> built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs,>> 680 [>> 681 tmp_mkf="/tmp/Makefile-conf$$">> (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'>> >${tmp_mkf} 683 __:>> 684 @echo "python_MODLIBS='$(MODLIBS)'">> 685 @echo "python_LIBS='$(LIBS)'">> 686 @echo "python_SYSLIBS='$(SYSLIBS)'">> 687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'">> 688 eof>> 689 dnl -- delete the lines from make about>> Entering/Leaving directory>> (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f>> ${tmp_mkf} __ | sed '/ directory /d'`">> 691 rm -f ${tmp_mkf}>>>> The attacker has to create the temporary file>> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In>> the time between (1) and (2), arbitrary commands can be written to>> the file. They will be executed at (2).>> The commands do not have to be written there between (1) and (2), they> can be in the file long before the ./configure was started -- just> because the script does care whether it can write to the file at all.> So unlike stated in the advisory, and in CVE-2008-3294, the issue does> not involve a race condition if the attacker would choose to create a> 644 file.
The file gets truncated in (1). You're wrong, the advisory is right.
HTHHAND
Jan.
