On Friday 18 July 2008, Jan Minář wrote: ... > 3. Vulnerability > > During the build process, a temporary file with a predictable name is > created in the ``/tmp'' directory. This code is run when Vim is > being build with Python support: > > src/configure.in: > > 677 dnl -- we need to examine Python's > config/Makefile too 678 dnl see what the interpreter is > built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs, > 680 [ > 681 tmp_mkf="/tmp/Makefile-conf$$" > (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof' > >${tmp_mkf} 683 __: > 684 @echo "python_MODLIBS='$(MODLIBS)'" > 685 @echo "python_LIBS='$(LIBS)'" > 686 @echo "python_SYSLIBS='$(SYSLIBS)'" > 687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'" > 688 eof > 689 dnl -- delete the lines from make about > Entering/Leaving directory > (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f > ${tmp_mkf} __ | sed '/ directory /d'`" > 691 rm -f ${tmp_mkf} > > The attacker has to create the temporary file > ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In > the time between (1) and (2), arbitrary commands can be written to > the file. They will be executed at (2). The commands do not have to be written there between (1) and (2), they can be in the file long before the ./configure was started -- just because the script does care whether it can write to the file at all. So unlike stated in the advisory, and in CVE-2008-3294, the issue does not involve a race condition if the attacker would choose to create a 644 file. Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/