Package: libtool Version: 2.4.2-1.11 Severity: grave Tags: security upstream Forwarded: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=21951 Justification: user security hole
I've just reported the following bug upstream: The libtoolize behavior depends on parent directories, which is a security issue (in addition to surprising behavior) because files may belong to other users, e.g. if the build is done in some /tmp subdirectory. I don't know what the other users can do exactly (in addition to make a build fail), though... FYI, there was some confusion because we got errors like: zimmerma@tarte:/tmp/mpfr$ ./autogen.sh autoreconf: Entering directory `.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal --force --warnings=all -I m4 autoreconf: configure.ac: tracing autoreconf: running: libtoolize --copy --force libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' autoreconf: running: /usr/bin/autoconf --force --warnings=all autoreconf: configure.ac: not using Autoheader autoreconf: running: automake --add-missing --copy --force-missing --warnings=all configure.ac:275: installing './ar-lib' configure.ac:270: installing './compile' configure.ac:55: installing './config.guess' configure.ac:55: installing './config.sub' configure.ac:35: installing './install-sh' configure.ac:486: error: required file './ltmain.sh' not found [...] After doing a diff of the libtoolize trace (sh -x ...) between two different machines, I saw: + test -f ./install-sh + test -f ./install.sh + test -f ../install-sh + test -f ../install.sh -+ auxdir=.. -+ break -+ test -n .. ++ test -f ../../install-sh ++ test -f ../../install.sh ++ test -n ++ auxdir=. which was the cause of the error. -- System Information: Debian Release: stretch/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libtool depends on: ii autotools-dev 20150820.1 ii clang-3.4 [c-compiler] 1:3.4.2-16 ii clang-3.5 [c-compiler] 1:3.5.2-3 ii clang-3.6 [c-compiler] 1:3.6.2-3 ii clang-3.7 [c-compiler] 1:3.7-4 ii clang-3.8 [c-compiler] 1:3.8~svn250696-1 ii cpp 4:5.2.1-4 ii file 1:5.25-2 ii gcc [c-compiler] 4:5.2.1-4 ii gcc-4.6 [c-compiler] 4.6.4-7 ii gcc-4.8 [c-compiler] 4.8.5-1 ii gcc-4.9 [c-compiler] 4.9.3-5 ii gcc-5 [c-compiler] 5.2.1-23 ii libc6-dev [libc-dev] 2.19-22 Versions of packages libtool recommends: ii libltdl-dev 2.4.2-1.11 Versions of packages libtool suggests: ii autoconf 2.69-9+local1 ii automake [automaken] 1:1.15-3 pn gcj-jdk <none> pn gfortran | fortran95-compiler <none> ii libtool-doc 2.4.2-1.11 -- no debconf information
