Nikolai Weibull wrote:
> On Fri, Jul 18, 2008 at 00:54, Jan Mináø <[EMAIL PROTECTED]> wrote: > > > The attacker has to create the temporary file > > ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In > > the time between (1) and (2), arbitrary commands can be written to the > > file. They will be executed at (2). > > > Patch fixing this vulnerability can be found at the following URL: > > > > http://www.rdancer.org/vulnerablevim-configure.in.patch > > Using mktemp is a lot safer than using $$, but the file can still be > written to between the creation and setup of the file and the eval. > Dealing with temporary files in shell scripts is always racy. This > fixes the easily guessed PID-pattern problem and as mktemp creates its > file in a hopefully non-shared directory, increases security a great > deal, but it's still racy. "mktemp" is supposed to create the file with 0600 permissions. The race is very unlikely then. It's still better to create a private directory though (which is what Vim does for its temp files). > Why not use pipes instead? > > eval "`cd /usr/lib/python2.4/config && (cat Makefile - <<'eof' > __: > @echo "python_MODLIBS='$(MODLIBS)'" > @echo "python_LIBS='$(LIBS)'" > @echo "python_SYSLIBS='$(SYSLIBS)'" > @echo "python_LINKFORSHARED='$(LINKFORSHARED)'" > eof > ) | make -f - __ | sed '/ directory /d'`" I don't think that all implementations of make can read from stdin. > (I really don't see the point of the sed. Isn't that information > output to stderr anyway (in which case it should be suppressed?)) There is a difference between what is supposed to happen and what actually happens. The whole idea of configure is that it handles subtle differences between different systems and tools. > I'm not sure if this requires too much from make and sh, though. It > works with Bash's sh emulation. Linux is the worst platform to test compatility on. Try on old HPUX or SunOS system! :-) -- ARTHUR: Right! Knights! Forward! ARTHUR leads a charge toward the castle. Various shots of them battling on, despite being hit by a variety of farm animals. "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
