Source: pbuilder
Version: 0.215+nmu3
Severity: grave
Tags: security
pbuilder builds the package in $BUILDPLACE/tmp/buildd.
But $BUILDPLACE/tmp is normally world-writable, and pbuilder doesn't
fail if the buildd direcory already exists:
mkdir -p "$BUILDPLACE/tmp/buildd"
There's a race window between unpacking base.tgz and the mkdir call when
malicious local user could create their own $BUILDPLACE/tmp/buildd.
Owning the buildd directory would let them tamper with the build process.
Alternatively, the attacker could exploit #789401 to plant tmp/buildd
directly in base.tgz.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages pbuilder depends on:
ii coreutils 8.23-4
ii debconf [debconf-2.0] 1.5.56
ii debianutils 4.5.1
ii debootstrap 1.0.70
ii dpkg-dev 1.18.1
ii wget 1.16.3-2+b2
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
