Full Disclosure mailing list archives
Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
From: "Jan Minář" <rdancer () rdancer org>
Date: Fri, 25 Jul 2008 03:16:00 +0100
2008/7/25 Robert Buchholz <rbu () gentoo org>:
On Friday 18 July 2008, Jan Minář wrote: ...3. Vulnerability During the build process, a temporary file with a predictable name is created in the ``/tmp'' directory. This code is run when Vim is being build with Python support: src/configure.in: 677 dnl -- we need to examine Python's config/Makefile too 678 dnl see what the interpreter is built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs, 680 [ 681 tmp_mkf="/tmp/Makefile-conf$$" (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'${tmp_mkf} 683 __:684 @echo "python_MODLIBS='$(MODLIBS)'" 685 @echo "python_LIBS='$(LIBS)'" 686 @echo "python_SYSLIBS='$(SYSLIBS)'" 687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'" 688 eof 689 dnl -- delete the lines from make about Entering/Leaving directory (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f ${tmp_mkf} __ | sed '/ directory /d'`" 691 rm -f ${tmp_mkf} The attacker has to create the temporary file ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In the time between (1) and (2), arbitrary commands can be written to the file. They will be executed at (2).The commands do not have to be written there between (1) and (2), they can be in the file long before the ./configure was started -- just because the script does care whether it can write to the file at all. So unlike stated in the advisory, and in CVE-2008-3294, the issue does not involve a race condition if the attacker would choose to create a 644 file.
The file gets truncated in (1). You're wrong, the advisory is right. HTH HAND Jan. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Jan Minář (Jul 17)
- Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Nikolai Weibull (Jul 18)
- Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Robert Buchholz (Jul 24)
- Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Jan Minář (Jul 24)
- Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Robert Buchholz (Jul 25)
- Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Steven M. Christey (Jul 25)
- Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Jan Minář (Jul 26)
- Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Jan Minář (Jul 24)