Scott James Remnant <scott@netsplit.com>

* ltmain.in: Don't use the mkdir -p option when creating a
temporary output directory so a symlink attack can't be used to
arbitrarily chmod other directories on the system if libtool
gets run as root.

diff --git a/ChangeLog b/ChangeLog
index d404feb0252d3572851b9b1de6d4ee3f6355dfdb..b448a21552e5fe2a7b17a8abe170e5c272566835 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2004-01-23  Stefan Nordhausen  <nordhaus@informatik.hu-berlin.de>
+       Scott James Remnant  <scott@netsplit.com>
+
+       * ltmain.in: Don't use the mkdir -p option when creating a
+       temporary output directory so a symlink attack can't be used to
+       arbitrarily chmod other directories on the system if libtool
+       gets run as root.
+
 2004-01-23  Scott James Remnant  <scott@netsplit.com>
 
        * ltmain.in: new -precious-files-regex link mode option

diff --git a/ltmain.in b/ltmain.in
index c28a4da1546844d410da8c786860f9d034a9854b..dff3256582ae50ad94faf035193c4dde169fb180 100644 (file)
--- a/ltmain.in
+++ b/ltmain.in
@@ -5616,7 +5616,7 @@ relink_command=\"$relink_command\""
              tmpdir="/tmp"
              test -n "$TMPDIR" && tmpdir="$TMPDIR"
              tmpdir="$tmpdir/libtool-$$"
-             if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
+             if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
              else
                $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
                continue