Hello, lots (at least: too much) Fedora Core packages are having files with paths referring to the build environment. Such paths are * RPATHS in programs/libraries when files were linked badly in the build, it may happen that they get an RPATH into the temporary build environment (RPATH is the path which is used to resolve libraries). E.g. when a program '/usr/bin/foo' is linked so that it looks for libraries in /var/tmp/foo-root/usr/lib, this can be easily exploited. This example uses $RPM_BUILD_ROOT; more commonly are $RPM_BUILD_DIR rpaths. Although the latter rpaths are having more preconditions for a successful exploit, they are still vulnerabilities which must be fixed. See http://www.securityfocus.com/archive/1/351758/2004-01-27/2004-02-02/0 for a related bugtraq posting. * $RPM_BUILD_ROOT in files unfortunately, there are existing lots of packages which do not support installation into snapshot directories. So, hacks like %makeinstall will be used which can lead to adding temporary $RPM_BUILD_ROOT paths to the files. For an example, see /usr/bin/HtFileType from htdig-3.2.0b5-5[1]: | magic_file=/var/tmp/htdig-root/etc/htdig/HtFileType-magic.mime ~~~~~~~~~~~~~~~~~~~ Beside broken make-systems, there are existing some other reasons for the inclusion of such paths (e.g. linking against internal copies of libraries; see /usr/lib/librpm.la of rpm-4.3-0.20[2]). Such paths are affecting both functionality and security in a negative manner. E.g. an attacker could place a HtFileType-magic.mime which causes overflows into the world-writable /var/tmp directory. Or, you get simple 'No such file' errors. These kinds of bugs are relativily easy to detect: you have just to search for uncommon RPATHs and grep for '$RPM_BUILD_ROOT' shortly after %install. I wrote a small package 'rpm-audit'[3] which hooks into %%__arch_install_post; perhaps every Fedora package should be checked with it. Current flaws are: * checks for $RPM_BUILD_DIR are not done since there may be legitim reasons for its occurrence (debug-info) * all files under $RPM_BUILD_ROOT will be checked; some files which are %excluded in the %files list may be false positives. Enrico Footnotes: [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=116442 [2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=116891 [3] http://www.tu-chemnitz.de/~ensc/fedora.us-build/qa/; scripts are part of fedora.us's fedora-rpmdevtools package too The .spec file tells how to apply it.
Attachment:
pgpGiA6GVHcib.pgp
Description: PGP signature
