To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: install-sh: insecure use of /tmp
Date: Thu, 4 Sep 2014 11:49:46 +0200
Package: automake
Version: 1:1.14.1-3
Severity: minor
Tags: security
When the destination directory does not exist, install-sh checks if
"mkdir -p" works, but it does so in an insecure way. Here are the
relevant parts of the code:
mkdirprog=${MKDIRPROG-mkdir}
# ...
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
then
# ...
rmdir "$tmpdir/d" "$tmpdir"
else
# ...
In some shells (such as dash) $RANDOM is not set, so $tmpdir is easily
predictable. Moreover, "mkdir -p" follows symlinks to existing
directories. Local attacker can exploit this to create or remove empty
directories named "d". (But on modern Linux systems this is mitigated by
the protected_symlinks feature.)
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>: Bug#760455; Package automake.
(Fri, 12 Sep 2014 12:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Vasyl Kaigorodov <vkaigoro@redhat.com>:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>.
(Fri, 12 Sep 2014 12:24:04 GMT) (full text, mbox, link).
Hello,
It was discovered [1] that there's an issue in how automake handles
temp directories.
When the destination directory does not exist, install-sh checks if
"mkdir -p" works, but it does so in an insecure way. Here are the
relevant parts of the code:
mkdirprog=${MKDIRPROG-mkdir}
# ...
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit
$ret' 0
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
then
# ...
rmdir "$tmpdir/d" "$tmpdir"
else
# ...
In some shells (such as dash) $RANDOM is not set, so $tmpdir is easily
predictable. Moreover, "mkdir -p" follows symlinks to existing
directories. Local attacker can exploit this to create or remove empty
directories named "d". (But on modern Linux systems this is mitigated
by the protected_symlinks feature.)
References:
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760455
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1140725
[3]: https://bugs.gentoo.org/show_bug.cgi?id=522638
Can a CVE ID be assigned to this please?
Thanks.
--
Vasyl Kaigorodov | Red Hat Product Security
PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
Information forwarded
to debian-bugs-dist@lists.debian.org, alexvong1995@gmail.com, Eric Dorland <eric@debian.org>: Bug#760455; Package automake.
(Fri, 07 Aug 2015 15:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Alex Vong <alexvong1995@gmail.com>:
Extra info received and forwarded to list. Copy sent to alexvong1995@gmail.com, Eric Dorland <eric@debian.org>.
(Fri, 07 Aug 2015 15:39:07 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <760455@bugs.debian.org>
Subject: Re: install-sh: insecure use of /tmp
Date: Fri, 07 Aug 2015 23:34:56 +0800
Package: automake
Version: 1:1.15-2
Followup-For: Bug #760455
Dear Maintainer,
A patch fixing the bug authored by Pavel Raiskup is available
from Red Hat Bugzilla. The patch has been forwarded to upstream,
but it has not been merged yet.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1140725http://lists.gnu.org/archive/html/automake-patches/2015-04/msg00001.html
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=zh_TW.utf8, LC_CTYPE=zh_TW.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages automake depends on:
ii autoconf 2.69-8
ii autotools-dev 20140911.1
automake recommends no packages.
Versions of packages automake suggests:
pn autoconf-doc <none>
pn gnu-standards <none>
-- no debconf information
*** automake-install-sh.patch
diff --git a/lib/install-sh b/lib/install-sh
index 0b0fdcb..59990a1 100755
--- a/lib/install-sh
+++ b/lib/install-sh
@@ -1,7 +1,7 @@
#!/bin/sh
# install - install a program, script, or datafile
-scriptversion=2013-12-25.23; # UTC
+scriptversion=2014-09-12.12; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
@@ -324,34 +324,41 @@ do
# is incompatible with FreeBSD 'install' when (umask & 300) != 0.
;;
*)
+ # $RANDOM is not portable (e.g. dash); use it when possible to
+ # lower collision chance
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
- trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
+ trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0
+ # As "mkdir -p" follows symlinks and we work in /tmp possibly; so
+ # create the $tmpdir first (and fail if unsuccessful) to make sure
+ # that nobody tries to guess the $tmpdir name.
if (umask $mkdir_umask &&
- exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
+ $mkdirprog $mkdir_mode "$tmpdir" &&
+ exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
- ls_ld_tmpdir=`ls -ld "$tmpdir"`
+ test_tmpdir="$tmpdir/a"
+ ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
- $mkdirprog -m$different_mode -p -- "$tmpdir" && {
- ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
+ $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
+ ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
- rmdir "$tmpdir/d" "$tmpdir"
+ rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
- rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
+ rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac;;
Added tag(s) patch.
Request was from Alex Vong <alexvong1995@gmail.com>
to control@bugs.debian.org.
(Fri, 07 Aug 2015 16:39:03 GMT) (full text, mbox, link).
Reply sent
to Eric Dorland <eric@debian.org>:
You have taken responsibility.
(Sat, 15 Aug 2015 11:21:10 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Sat, 15 Aug 2015 11:21:10 GMT) (full text, mbox, link).
Subject: Bug#760455: fixed in automake-1.15 1:1.15-3
Date: Sat, 15 Aug 2015 11:20:23 +0000
Source: automake-1.15
Source-Version: 1:1.15-3
We believe that the bug you reported is fixed in the latest version of
automake-1.15, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 760455@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated automake-1.15 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 15 Aug 2015 04:50:13 -0400
Source: automake-1.15
Binary: automake
Architecture: source all
Version: 1:1.15-3
Distribution: unstable
Urgency: medium
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description:
automake - Tool for generating GNU Standards-compliant Makefiles
Closes: 760455
Changes:
automake-1.15 (1:1.15-3) unstable; urgency=medium
.
* debian/rules: Remove unnecessary touching that was needed by dropped
02-init-m4-newline.diff.
* debian/patches/0003-install-sh-avoid-low-risk-race-in-tmp.patch: Fix
low risk insecure use of /tmp. Patch from Pavel Raiskup. (Closes:
#760455)
* debian/rules: Use dh --parallel.
Checksums-Sha1:
572121b8778de5c89dca36b5dd0a8b9f247c0719 2238 automake-1.15_1.15-3.dsc
7c7b38248069b5a48accd2a2af06c74c8b33ace8 11740 automake-1.15_1.15-3.debian.tar.xz
abac7bfca261617d63353b03ee14f47c1ae43c4f 735376 automake_1.15-3_all.deb
Checksums-Sha256:
b751dc3f3139bffaacc2c2e9f034b69a6f0dc1589b0321c2d80d9c339e73dd03 2238 automake-1.15_1.15-3.dsc
1e2639c2bb529f518a7933976a093281443f03fc38afe8dd1bd261b729a3e5a2 11740 automake-1.15_1.15-3.debian.tar.xz
fb488b5c8e2cf957af3faf24e34266bbb5016eb454d07b3975bab55e87340270 735376 automake_1.15-3_all.deb
Files:
d6c3c4aa5b4d20414269cc0213b10fdd 2238 devel optional automake-1.15_1.15-3.dsc
d55adb7f656e313e98b361f2becdf929 11740 devel optional automake-1.15_1.15-3.debian.tar.xz
9c1ce18c3bf5882a1f3390d96661b117 735376 devel optional automake_1.15-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVzyAQAAoJEMJW+9UAIh6TWxEP/21XjcXYAqQ+KdDumAmtv1l9
AVNL/DTfJIBham7SJIJKDTGjAW1Mz42ClRdBUm0+oVDDLBNNEIl9uj52+KJ8WtB1
gGOApoC7c/ZaZypypUP5/zoRxfS0uDe1TmpgrIOSLyHf29jrvPf43wdeRWMVQHVu
hkwBMro0OO2/+orMJp/8d+jD2vkrqDXh/xeNo8FBMHNy0M13Ebz6TEDzDEtwIlwM
dK0vugpmVlMzpQlzGvDyqHBwQOj0TQRzVfIFBD3ryjecdJpIM+O49VAM69xmWA+o
3tdlCKp++pnaYkusO7G/IdUxN+zORMMSP9dtlDFcwfXQkGBKzpVH7ax004YzhTCP
Gnlz7UZIOCt3xobHy9/JOlpNbbENBvG3ns6b+V2xq4IUjKKLXPvUdP0JFC7dN4jn
y0vERQpeqt4XIwUFoIKAIuj7tl/pMRGZwbAT90kLz91I1wlz3HWGjxcJIXez8pxY
5+9DZOGOoHHDp/ik+0CpGuRinGV7IADQMyALYRboG7nOQxgK5JSDo4wbhKMbG3qm
dXCf9RNBqJexIhAZvz+R069gg2vyFf7HPDIadjQoQ830GBcUGOoDUHvRcESqYa6m
4zq/Du9JgpdBvIjlglQLSNkdVDrroIcNng9w85pld7FY0B2PvgxAhlH+YK2muNua
rDlLi6p7HCOVk+DrmRy8
=SOAZ
-----END PGP SIGNATURE-----
Bug reassigned from package 'automake' to 'src:automake-1.15'.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 21 Feb 2016 23:51:36 GMT) (full text, mbox, link).
No longer marked as found in versions automake-1.15/1:1.15-2 and automake-1.14/1:1.14.1-3.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 21 Feb 2016 23:51:37 GMT) (full text, mbox, link).
No longer marked as fixed in versions automake-1.15/1:1.15-3.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 21 Feb 2016 23:51:38 GMT) (full text, mbox, link).
Marked as found in versions automake-1.15/1:1.15-2.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 21 Feb 2016 23:51:38 GMT) (full text, mbox, link).
Marked as fixed in versions automake-1.15/1:1.15-3.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 21 Feb 2016 23:51:39 GMT) (full text, mbox, link).
Marked as found in versions automake-1.15/1:1.14.1-3.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 21 Feb 2016 23:51:40 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 21 Mar 2016 07:41:01 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Petter Reinholdtsen <pere@hungry.com>
to control@bugs.debian.org.
(Wed, 15 Jun 2016 08:15:12 GMT) (full text, mbox, link).
Bug 760455 cloned as bugs 827346, 827347
Request was from Petter Reinholdtsen <pere@hungry.com>
to control@bugs.debian.org.
(Wed, 15 Jun 2016 08:15:12 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 14 Jul 2016 07:31:50 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.