GNU bug report logs -
#21951
[security] libtoolize behavior depends on parent directories
Previous Next
To reply to this bug, email your comments to 21951 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-libtool <at> gnu.org
:
bug#21951
; Package
libtool
.
(Wed, 18 Nov 2015 11:07:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vincent Lefevre <vincent <at> vinc17.net>
:
New bug report received and forwarded. Copy sent to
bug-libtool <at> gnu.org
.
(Wed, 18 Nov 2015 11:07:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The libtoolize behavior depends on parent directories, which is
a security issue (in addition to surprising behavior) because
files may belong to other users, e.g. if the build is done in
some /tmp subdirectory. I don't know what the other users can
do exactly (in addition to make a build fail), though...
FYI, there was some confusion because we got errors like:
zimmerma <at> tarte:/tmp/mpfr$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force --warnings=all -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force --warnings=all
autoreconf: configure.ac: not using Autoheader
autoreconf: running: automake --add-missing --copy --force-missing --warnings=all
configure.ac:275: installing './ar-lib'
configure.ac:270: installing './compile'
configure.ac:55: installing './config.guess'
configure.ac:55: installing './config.sub'
configure.ac:35: installing './install-sh'
configure.ac:486: error: required file './ltmain.sh' not found
[...]
After doing a diff of the libtoolize trace (sh -x ...) between
two different machines, I saw:
+ test -f ./install-sh
+ test -f ./install.sh
+ test -f ../install-sh
+ test -f ../install.sh
-+ auxdir=..
-+ break
-+ test -n ..
++ test -f ../../install-sh
++ test -f ../../install.sh
++ test -n
++ auxdir=.
which was the cause of the error.
--
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Information forwarded
to
bug-libtool <at> gnu.org
:
bug#21951
; Package
libtool
.
(Wed, 18 Nov 2015 11:10:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 21951 <at> debbugs.gnu.org (full text, mbox):
I forgot to say that this was on a Debian/unstable machine with:
libtoolize (GNU libtool) 2.4.2
But the source of the latest version 2.4.6 shows the same problem.
--
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Information forwarded
to
bug-libtool <at> gnu.org
:
bug#21951
; Package
libtool
.
(Sat, 06 Aug 2016 17:10:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 21951 <at> debbugs.gnu.org (full text, mbox):
Could this bug be eventually fixed?
One can compromise other users' account for those who run things
from /tmp subdirectories, e.g.
User1:
echo "echo Hacked >> ~/.profile" > /tmp/install-sh
chmod 755 /tmp/install-sh
cp /tmp/install-sh /tmp/config.guess
User2:
* Have some libtool-based source in /tmp/some_dir
* From this directory, run:
autoreconf -i
./configure
The consequence is that User2 has "Hacked" written at the end of
his .profile file. Of course, one can do much worse...
--
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
This bug report was last modified 7 years and 276 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.