On Friday 25 July 2008, Jan Minář wrote: > 2008/7/25 Robert Buchholz <rbu@xxxxxxxxxx>: > > On Friday 18 July 2008, Jan Minář wrote: > > ... > > > >> 3. Vulnerability > >> > >> During the build process, a temporary file with a predictable name > >> is created in the ``/tmp'' directory. This code is run when Vim > >> is being build with Python support: > >> > >> src/configure.in: > >> > >> 677 dnl -- we need to examine Python's > >> config/Makefile too 678 dnl see what the interpreter is > >> built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs, > >> 680 [ > >> 681 tmp_mkf="/tmp/Makefile-conf$$" > >> (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof' > >> > >> >${tmp_mkf} 683 __: > >> > >> 684 @echo "python_MODLIBS='$(MODLIBS)'" > >> 685 @echo "python_LIBS='$(LIBS)'" > >> 686 @echo "python_SYSLIBS='$(SYSLIBS)'" > >> 687 @echo > >> "python_LINKFORSHARED='$(LINKFORSHARED)'" 688 eof > >> 689 dnl -- delete the lines from make about > >> Entering/Leaving directory > >> (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f > >> ${tmp_mkf} __ | sed '/ directory /d'`" > >> 691 rm -f ${tmp_mkf} > >> > >> The attacker has to create the temporary file > >> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). > >> In the time between (1) and (2), arbitrary commands can be written > >> to the file. They will be executed at (2). > > > > The commands do not have to be written there between (1) and (2), > > they can be in the file long before the ./configure was started -- > > just because the script does care whether it can write to the file > > at all. So unlike stated in the advisory, and in CVE-2008-3294, the > > issue does not involve a race condition if the attacker would > > choose to create a 644 file. > > The file gets truncated in (1). You're wrong, the advisory is right. Truncation will fail if the configure is not running as root. Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.