Received: (at 21951) by debbugs.gnu.org; 6 Aug 2016 17:09:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Aug 06 13:09:50 2016 Received: from localhost ([127.0.0.1]:58118 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1bW56b-0003NJ-Qj for submit <at> debbugs.gnu.org; Sat, 06 Aug 2016 13:09:49 -0400 Received: from ioooi.vinc17.net ([92.243.22.117]:58087) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <vincent@HIDDEN>) id 1bW56Z-0003N9-0A for 21951 <at> debbugs.gnu.org; Sat, 06 Aug 2016 13:09:48 -0400 Received: from smtp-zira.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128]) by ioooi.vinc17.net (Postfix) with ESMTPSA id 5AA4669B; Sat, 6 Aug 2016 19:09:45 +0200 (CEST) Received: by zira.vinc17.org (Postfix, from userid 1000) id 34F73C25C66; Sat, 6 Aug 2016 19:09:45 +0200 (CEST) Date: Sat, 6 Aug 2016 19:09:45 +0200 From: Vincent Lefevre <vincent@HIDDEN> To: 21951 <at> debbugs.gnu.org, 805454@HIDDEN Subject: Re: [security] libtoolize behavior depends on parent directories Message-ID: <20160806170945.GA7066@HIDDEN> References: <20151118110558.GA26362@HIDDEN> <20151118110937.GG6417@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20151118110937.GG6417@HIDDEN> X-Mailer-Info: https://www.vinc17.net/mutt/ User-Agent: Mutt/1.6.2-6749-vl-r90618 (2016-08-02) X-Spam-Score: -1.2 (-) X-Debbugs-Envelope-To: 21951 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.2 (-) Could this bug be eventually fixed? One can compromise other users' account for those who run things from /tmp subdirectories, e.g. User1: echo "echo Hacked >> ~/.profile" > /tmp/install-sh chmod 755 /tmp/install-sh cp /tmp/install-sh /tmp/config.guess User2: * Have some libtool-based source in /tmp/some_dir * From this directory, run: autoreconf -i ./configure The consequence is that User2 has "Hacked" written at the end of his .profile file. Of course, one can do much worse... -- Vincent Lefèvre <vincent@HIDDEN> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
bug-libtool@HIDDEN:bug#21951; Package libtool.
Full text available.Received: (at 21951) by debbugs.gnu.org; 18 Nov 2015 11:09:58 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 18 06:09:58 2015 Received: from localhost ([127.0.0.1]:42423 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1Zz0cg-0003KW-Ft for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:09:58 -0500 Received: from ioooi.vinc17.net ([92.243.22.117]:51823) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from <vincent@HIDDEN>) id 1Zz0cM-0003K5-PS for 21951 <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:09:57 -0500 Received: from smtp-zira.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128]) by ioooi.vinc17.net (Postfix) with ESMTPSA id 47373322; Wed, 18 Nov 2015 12:09:37 +0100 (CET) Received: by zira.vinc17.org (Postfix, from userid 1000) id 21672C2026E; Wed, 18 Nov 2015 12:09:37 +0100 (CET) Date: Wed, 18 Nov 2015 12:09:37 +0100 From: Vincent Lefevre <vincent@HIDDEN> To: 21951 <at> debbugs.gnu.org Subject: Re: [security] libtoolize behavior depends on parent directories Message-ID: <20151118110937.GG6417@HIDDEN> References: <20151118110558.GA26362@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20151118110558.GA26362@HIDDEN> X-Mailer-Info: https://www.vinc17.net/mutt/ User-Agent: Mutt/1.5.24-6524-vl-r83103 (2015-11-09) X-Spam-Score: -0.6 (/) X-Debbugs-Envelope-To: 21951 Cc: Paul Zimmermann <Paul.Zimmermann@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.6 (/) I forgot to say that this was on a Debian/unstable machine with: libtoolize (GNU libtool) 2.4.2 But the source of the latest version 2.4.6 shows the same problem. -- Vincent Lefèvre <vincent@HIDDEN> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
bug-libtool@HIDDEN:bug#21951; Package libtool.
Full text available.Received: (at submit) by debbugs.gnu.org; 18 Nov 2015 11:06:18 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Nov 18 06:06:18 2015 Received: from localhost ([127.0.0.1]:42418 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1Zz0Z7-0003F0-CX for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:06:17 -0500 Received: from eggs.gnu.org ([208.118.235.92]:49117) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from <vincent@HIDDEN>) id 1Zz0Z5-0003Es-G0 for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:06:15 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <vincent@HIDDEN>) id 1Zz0Z4-00031c-4O for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:06:15 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:45515) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <vincent@HIDDEN>) id 1Zz0Z3-00031Y-WB for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:06:14 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59091) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <vincent@HIDDEN>) id 1Zz0Z2-0003yh-St for bug-libtool@HIDDEN; Wed, 18 Nov 2015 06:06:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <vincent@HIDDEN>) id 1Zz0Yw-00030W-NI for bug-libtool@HIDDEN; Wed, 18 Nov 2015 06:06:12 -0500 Received: from ioooi.vinc17.net ([92.243.22.117]:53560) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <vincent@HIDDEN>) id 1Zz0Yw-0002za-Gm for bug-libtool@HIDDEN; Wed, 18 Nov 2015 06:06:06 -0500 Received: from smtp-zira.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128]) by ioooi.vinc17.net (Postfix) with ESMTPSA id 471AA322; Wed, 18 Nov 2015 12:05:58 +0100 (CET) Received: by zira.vinc17.org (Postfix, from userid 1000) id 1DF2EC2026E; Wed, 18 Nov 2015 12:05:58 +0100 (CET) Date: Wed, 18 Nov 2015 12:05:58 +0100 From: Vincent Lefevre <vincent@HIDDEN> To: bug-libtool@HIDDEN Subject: [security] libtoolize behavior depends on parent directories Message-ID: <20151118110558.GA26362@HIDDEN> Mail-Followup-To: Vincent Lefevre <vincent@HIDDEN>, bug-libtool@HIDDEN, Paul Zimmermann <Paul.Zimmermann@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline X-Mailer-Info: https://www.vinc17.net/mutt/ User-Agent: Mutt/1.5.24-6524-vl-r83103 (2015-11-09) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit Cc: Paul Zimmermann <Paul.Zimmermann@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -5.0 (-----) The libtoolize behavior depends on parent directories, which is a security issue (in addition to surprising behavior) because files may belong to other users, e.g. if the build is done in some /tmp subdirectory. I don't know what the other users can do exactly (in addition to make a build fail), though... FYI, there was some confusion because we got errors like: zimmerma@tarte:/tmp/mpfr$ ./autogen.sh autoreconf: Entering directory `.' autoreconf: configure.ac: not using Gettext autoreconf: running: aclocal --force --warnings=3Dall -I m4 autoreconf: configure.ac: tracing autoreconf: running: libtoolize --copy --force libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'. libtoolize: copying file `m4/libtool.m4' libtoolize: copying file `m4/ltoptions.m4' libtoolize: copying file `m4/ltsugar.m4' libtoolize: copying file `m4/ltversion.m4' libtoolize: copying file `m4/lt~obsolete.m4' autoreconf: running: /usr/bin/autoconf --force --warnings=3Dall autoreconf: configure.ac: not using Autoheader autoreconf: running: automake --add-missing --copy --force-missing --warn= ings=3Dall configure.ac:275: installing './ar-lib' configure.ac:270: installing './compile' configure.ac:55: installing './config.guess' configure.ac:55: installing './config.sub' configure.ac:35: installing './install-sh' configure.ac:486: error: required file './ltmain.sh' not found [...] After doing a diff of the libtoolize trace (sh -x ...) between two different machines, I saw: + test -f ./install-sh + test -f ./install.sh + test -f ../install-sh + test -f ../install.sh -+ auxdir=3D.. -+ break -+ test -n .. ++ test -f ../../install-sh ++ test -f ../../install.sh ++ test -n=20 ++ auxdir=3D. which was the cause of the error. --=20 Vincent Lef=E8vre <vincent@HIDDEN> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Vincent Lefevre <vincent@HIDDEN>:bug-libtool@HIDDEN.
Full text available.bug-libtool@HIDDEN:bug#21951; Package libtool.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.