GNU bug report logs - #21951
[security] libtoolize behavior depends on parent directories

Previous Next

Package: libtool;

Reported by: Vincent Lefevre <vincent <at> vinc17.net>

Date: Wed, 18 Nov 2015 11:07:02 UTC

Severity: normal

To reply to this bug, email your comments to 21951 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-libtool <at> gnu.org:
bug#21951; Package libtool. (Wed, 18 Nov 2015 11:07:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Vincent Lefevre <vincent <at> vinc17.net>:
New bug report received and forwarded. Copy sent to bug-libtool <at> gnu.org. (Wed, 18 Nov 2015 11:07:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Vincent Lefevre <vincent <at> vinc17.net>
To: bug-libtool <at> gnu.org
Cc: Paul Zimmermann <Paul.Zimmermann <at> loria.fr>
Subject: [security] libtoolize behavior depends on parent directories
Date: Wed, 18 Nov 2015 12:05:58 +0100

The libtoolize behavior depends on parent directories, which is
a security issue (in addition to surprising behavior) because
files may belong to other users, e.g. if the build is done in
some /tmp subdirectory. I don't know what the other users can
do exactly (in addition to make a build fail), though...

FYI, there was some confusion because we got errors like:

zimmerma <at> tarte:/tmp/mpfr$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force --warnings=all -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force --warnings=all
autoreconf: configure.ac: not using Autoheader
autoreconf: running: automake --add-missing --copy --force-missing --warnings=all
configure.ac:275: installing './ar-lib'
configure.ac:270: installing './compile'
configure.ac:55: installing './config.guess'
configure.ac:55: installing './config.sub'
configure.ac:35: installing './install-sh'
configure.ac:486: error: required file './ltmain.sh' not found
[...]

After doing a diff of the libtoolize trace (sh -x ...) between
two different machines, I saw:

 + test -f ./install-sh
 + test -f ./install.sh
 + test -f ../install-sh
 + test -f ../install.sh
-+ auxdir=..
-+ break
-+ test -n ..
++ test -f ../../install-sh
++ test -f ../../install.sh
++ test -n 
++ auxdir=.

which was the cause of the error.

-- 
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Information forwarded to bug-libtool <at> gnu.org:
bug#21951; Package libtool. (Wed, 18 Nov 2015 11:10:02 GMT) Full text and rfc822 format available.

Message #8 received at 21951 <at> debbugs.gnu.org (full text, mbox):

From: Vincent Lefevre <vincent <at> vinc17.net>
To: 21951 <at> debbugs.gnu.org
Cc: Paul Zimmermann <Paul.Zimmermann <at> loria.fr>
Subject: Re: [security] libtoolize behavior depends on parent directories
Date: Wed, 18 Nov 2015 12:09:37 +0100

I forgot to say that this was on a Debian/unstable machine with:
libtoolize (GNU libtool) 2.4.2

But the source of the latest version 2.4.6 shows the same problem.

-- 
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Information forwarded to bug-libtool <at> gnu.org:
bug#21951; Package libtool. (Sat, 06 Aug 2016 17:10:02 GMT) Full text and rfc822 format available.

Message #11 received at 21951 <at> debbugs.gnu.org (full text, mbox):

From: Vincent Lefevre <vincent <at> vinc17.net>
To: 21951 <at> debbugs.gnu.org, 805454 <at> bugs.debian.org
Subject: Re: [security] libtoolize behavior depends on parent directories
Date: Sat, 6 Aug 2016 19:09:45 +0200

Could this bug be eventually fixed?

One can compromise other users' account for those who run things
from /tmp subdirectories, e.g.

User1:
  echo "echo Hacked >> ~/.profile" > /tmp/install-sh
  chmod 755 /tmp/install-sh
  cp /tmp/install-sh /tmp/config.guess

User2:
* Have some libtool-based source in /tmp/some_dir
* From this directory, run:
  autoreconf -i
  ./configure

The consequence is that User2 has "Hacked" written at the end of
his .profile file. Of course, one can do much worse...

-- 
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
This bug report was last modified 7 years and 276 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.