From: Stefano Lattarini Date: Fri, 6 Jul 2012 20:43:04 +0000 (+0200) Subject: distcheck: never make part of $(distdir) world-writable X-Git-Tag: v1.12.2~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bab7065f75bb9680df8c782da06a8312e5fa95a6;p=thirdparty%2Fautomake.git distcheck: never make part of $(distdir) world-writable This fixes a locally-exploitable security vulnerability (CVE-2012-3386). In the 'distcheck' rule, we used to make the just-extracted (from the distribution tarball) $(distdir) directory and all its files and subdirectories read-only; then, in order to create the '_inst' and '_build' subdirectories in there (used by the rest of the recipe) we made the top-level $(distdir) *world-writable* for an instant (the time to create those two directories) before making it read-only again. Making that directory world-writable (albeit only briefly) introduced a locally exploitable race condition for those who run "make distcheck" with a non-restrictive umask (e.g., 022) in a directory that is accessible by others. A successful exploit would result in arbitrary code execution with the privileges of the user running "make distcheck" -- game over. Jim Meyering wrote a proof-of-concept script showing that such exploit is easily implemented. This issue is similar to the CVE-2009-4029 vulnerability: * lib/am/distdir.am (distcheck): Don't make $(distdir) world-writable, not even for an instant; make it user-writable instead, which is enough. Helped-By: Jim Meyering Signed-off-by: Stefano Lattarini --- diff --git a/NEWS b/NEWS index ee1696185..4975e8e88 100644 --- a/NEWS +++ b/NEWS @@ -92,6 +92,15 @@ New in 1.12.2: Bugs fixed in 1.12.2: +* SECURITY VULNERABILITIES! + + - The recipe of the 'distcheck' no longer grants anymore temporary + world-wide write permissions on the extracted distdir. Even if such + rights were only granted for a vanishingly small time window, the + implied race condition proved to be enough to allow a local attacker + to run arbitrary code with the privileges of the user running "make + distcheck". This is CVE-2012-3386. + * Long-standing bugs: - The "recheck" targets behaves better in the face of build failures diff --git a/lib/am/distdir.am b/lib/am/distdir.am index e27b6504d..f636a1e2d 100644 --- a/lib/am/distdir.am +++ b/lib/am/distdir.am @@ -449,7 +449,7 @@ distcheck: dist ## Make the new source tree read-only. Distributions ought to work in ## this case. However, make the top-level directory writable so we ## can make our new subdirs. - chmod -R a-w $(distdir); chmod a+w $(distdir) + chmod -R a-w $(distdir); chmod u+w $(distdir) mkdir $(distdir)/_build mkdir $(distdir)/_inst ## Undo the write access.