Bug#609474: potential symlink attack when compiling tendra

Sun, 09 Jan 2011 10:57:24 -0800 

Package: tendra
Version: 4.1.2-18
Severity: normal
Tags: patch security

tendra's ./INSTALL script writes to (for instance) /var/tmp/tuname_$$, which
is predictable enough to be open to symlink attacks while compiling the
package.

I'm not setting the usual grave severity for security bugs, since this doesn't
affect ordinary users of the package.

A patch follows; it'll also be available in
http://git.debian.org/?p=users/smcv/qa/tendra.git shortly.

Regards,
    Simon

commit f5048384bd4dd6ea1e954707f0c7951a61203692
Author: Simon McVittie <s...@debian.org>
Date:   2011-01-09 18:40:27 +0000

    Avoid writing predictable filenames to /var/tmp during package build
    
    This avoids potential symlink attacks.

diff --git a/INSTALL b/INSTALL
index e628d65..f2eeb91 100755
--- a/INSTALL
+++ b/INSTALL
@@ -75,6 +75,7 @@ MACH_DIR=${INSTALL_DIR}/machines
 MAN_DIR=${DEB_DIR}/usr/man
 WORK_DIR=${BASE_DIR}/work
 TEMP_DIR=/var/tmp
+TEMP_SUBDIR=`mktemp -d` || exit 1
 
 
 #
@@ -202,10 +203,10 @@ cat ${BASE_DIR}/COPYRIGHT
 #
 
 ${COMMENT} building host type determiner, tuname ...
-TUNAME=${TEMP_DIR}/tuname_$$${EXEC_SUFFIX}
-MACH_HEADER=${TEMP_DIR}/mach_$$.h
+TUNAME=${TEMP_SUBDIR}/tuname_$$${EXEC_SUFFIX}
+MACH_HEADER=${TEMP_SUBDIR}/mach_$$.h
 SRC=${BASE_DIR}/src/utilities/tuname
-cd ${TEMP_DIR} || exit 1
+cd ${TEMP_SUBDIR} || exit 1
 make -f ${SRC}/Makefile CC="${CC}" ${TCCOPTS}\
     BASE=${BASE_DIR} NAME=${TUNAME} all
 if [ -f ${TUNAME} ]
@@ -324,7 +325,7 @@ ${COMMENT}
 # during development work.
 #
 
-MACH_SED=${TEMP_DIR}/mach$$.sed
+MACH_SED=${TEMP_SUBDIR}/mach$$.sed
 cat > ${MACH_SED} << EOF
 1,\$s/MACH_OS/${MACH_OS}/g
 1,\$s/MACH_CPU/${MACH_CPU}/g
@@ -422,7 +423,7 @@ if ${BUILD_UPDATE}
 then
     ${COMMENT} installing tcc environments ...
 
-    ENV_SED=${TEMP_DIR}/env$$.sed
+    ENV_SED=${TEMP_SUBDIR}/env$$.sed
     cat > ${ENV_SED} << EOF
 1,\$s%-MACH-%${MACH_OS}/${MACH_CPU}%g
 1,\$s%-MACHDIR-%${MACH_BASE}%g
@@ -802,4 +803,6 @@ else
     ${COMMENT} installation completed with errors
     exit 1
 fi
+
+rm -r ${TMP_SUBDIR}
 exit 0



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to