Package: automake
Version: 1:1.14.1-3
Severity: minor
Tags: security
When the destination directory does not exist, install-sh checks if
"mkdir -p" works, but it does so in an insecure way. Here are the
relevant parts of the code:
mkdirprog=${MKDIRPROG-mkdir}
# ...
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
if (umask $mkdir_umask &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
then
# ...
rmdir "$tmpdir/d" "$tmpdir"
else
# ...
In some shells (such as dash) $RANDOM is not set, so $tmpdir is easily
predictable. Moreover, "mkdir -p" follows symlinks to existing
directories. Local attacker can exploit this to create or remove empty
directories named "d". (But on modern Linux systems this is mitigated by
the protected_symlinks feature.)
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
