X-Loop: help-debbugs@HIDDEN
Subject: bug#21951: [security] libtoolize behavior depends on parent directories
Resent-From: Vincent Lefevre <vincent@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-libtool@HIDDEN
Resent-Date: Wed, 18 Nov 2015 11:07:02 +0000
Resent-Message-ID: <handler.21951.B.144784477812466 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 21951
X-GNU-PR-Package: libtool
X-GNU-PR-Keywords:
To: 21951 <at> debbugs.gnu.org
Cc: Paul Zimmermann <Paul.Zimmermann@HIDDEN>
X-Debbugs-Original-To: bug-libtool@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.144784477812466
(code B ref -1); Wed, 18 Nov 2015 11:07:02 +0000
Received: (at submit) by debbugs.gnu.org; 18 Nov 2015 11:06:18 +0000
Received: from localhost ([127.0.0.1]:42418 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.80)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1Zz0Z7-0003F0-CX
for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:06:17 -0500
Received: from eggs.gnu.org ([208.118.235.92]:49117)
by debbugs.gnu.org with esmtp (Exim 4.80)
(envelope-from <vincent@HIDDEN>) id 1Zz0Z5-0003Es-G0
for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:06:15 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <vincent@HIDDEN>) id 1Zz0Z4-00031c-4O
for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:06:15 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:45515)
by eggs.gnu.org with esmtp (Exim 4.71)
(envelope-from <vincent@HIDDEN>) id 1Zz0Z3-00031Y-WB
for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:06:14 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59091)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <vincent@HIDDEN>) id 1Zz0Z2-0003yh-St
for bug-libtool@HIDDEN; Wed, 18 Nov 2015 06:06:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <vincent@HIDDEN>) id 1Zz0Yw-00030W-NI
for bug-libtool@HIDDEN; Wed, 18 Nov 2015 06:06:12 -0500
Received: from ioooi.vinc17.net ([92.243.22.117]:53560)
by eggs.gnu.org with esmtp (Exim 4.71)
(envelope-from <vincent@HIDDEN>) id 1Zz0Yw-0002za-Gm
for bug-libtool@HIDDEN; Wed, 18 Nov 2015 06:06:06 -0500
Received: from smtp-zira.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128])
by ioooi.vinc17.net (Postfix) with ESMTPSA id 471AA322;
Wed, 18 Nov 2015 12:05:58 +0100 (CET)
Received: by zira.vinc17.org (Postfix, from userid 1000)
id 1DF2EC2026E; Wed, 18 Nov 2015 12:05:58 +0100 (CET)
Date: Wed, 18 Nov 2015 12:05:58 +0100
From: Vincent Lefevre <vincent@HIDDEN>
Message-ID: <20151118110558.GA26362@HIDDEN>
Mail-Followup-To: Vincent Lefevre <vincent@HIDDEN>, bug-libtool@HIDDEN,
Paul Zimmermann <Paul.Zimmermann@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
X-Mailer-Info: https://www.vinc17.net/mutt/
User-Agent: Mutt/1.5.24-6524-vl-r83103 (2015-11-09)
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
(bad octet value).
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)
The libtoolize behavior depends on parent directories, which is
a security issue (in addition to surprising behavior) because
files may belong to other users, e.g. if the build is done in
some /tmp subdirectory. I don't know what the other users can
do exactly (in addition to make a build fail), though...
FYI, there was some confusion because we got errors like:
zimmerma@tarte:/tmp/mpfr$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force --warnings=3Dall -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force --warnings=3Dall
autoreconf: configure.ac: not using Autoheader
autoreconf: running: automake --add-missing --copy --force-missing --warn=
ings=3Dall
configure.ac:275: installing './ar-lib'
configure.ac:270: installing './compile'
configure.ac:55: installing './config.guess'
configure.ac:55: installing './config.sub'
configure.ac:35: installing './install-sh'
configure.ac:486: error: required file './ltmain.sh' not found
[...]
After doing a diff of the libtoolize trace (sh -x ...) between
two different machines, I saw:
+ test -f ./install-sh
+ test -f ./install.sh
+ test -f ../install-sh
+ test -f ../install.sh
-+ auxdir=3D..
-+ break
-+ test -n ..
++ test -f ../../install-sh
++ test -f ../../install.sh
++ test -n=20
++ auxdir=3D.
which was the cause of the error.
--=20
Vincent Lef=E8vre <vincent@HIDDEN> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.503 (Entity 5.503) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Vincent Lefevre <vincent@HIDDEN> Subject: bug#21951: Acknowledgement ([security] libtoolize behavior depends on parent directories) Message-ID: <handler.21951.B.144784477812466.ack <at> debbugs.gnu.org> References: <20151118110558.GA26362@HIDDEN> X-Gnu-PR-Message: ack 21951 X-Gnu-PR-Package: libtool Reply-To: 21951 <at> debbugs.gnu.org Date: Wed, 18 Nov 2015 11:07:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-libtool@HIDDEN If you wish to submit further information on this problem, please send it to 21951 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 21951: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D21951 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: bug#21951: [security] libtoolize behavior depends on parent directories
Resent-From: Vincent Lefevre <vincent@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-libtool@HIDDEN
Resent-Date: Wed, 18 Nov 2015 11:10:02 +0000
Resent-Message-ID: <handler.21951.B21951.144784499812808 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 21951
X-GNU-PR-Package: libtool
X-GNU-PR-Keywords:
To: 21951 <at> debbugs.gnu.org
Cc: Paul Zimmermann <Paul.Zimmermann@HIDDEN>
Received: via spool by 21951-submit <at> debbugs.gnu.org id=B21951.144784499812808
(code B ref 21951); Wed, 18 Nov 2015 11:10:02 +0000
Received: (at 21951) by debbugs.gnu.org; 18 Nov 2015 11:09:58 +0000
Received: from localhost ([127.0.0.1]:42423 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.80)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1Zz0cg-0003KW-Ft
for submit <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:09:58 -0500
Received: from ioooi.vinc17.net ([92.243.22.117]:51823)
by debbugs.gnu.org with esmtp (Exim 4.80)
(envelope-from <vincent@HIDDEN>) id 1Zz0cM-0003K5-PS
for 21951 <at> debbugs.gnu.org; Wed, 18 Nov 2015 06:09:57 -0500
Received: from smtp-zira.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128])
by ioooi.vinc17.net (Postfix) with ESMTPSA id 47373322;
Wed, 18 Nov 2015 12:09:37 +0100 (CET)
Received: by zira.vinc17.org (Postfix, from userid 1000)
id 21672C2026E; Wed, 18 Nov 2015 12:09:37 +0100 (CET)
Date: Wed, 18 Nov 2015 12:09:37 +0100
From: Vincent Lefevre <vincent@HIDDEN>
Message-ID: <20151118110937.GG6417@HIDDEN>
References: <20151118110558.GA26362@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20151118110558.GA26362@HIDDEN>
X-Mailer-Info: https://www.vinc17.net/mutt/
User-Agent: Mutt/1.5.24-6524-vl-r83103 (2015-11-09)
X-Spam-Score: -0.6 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.6 (/)
I forgot to say that this was on a Debian/unstable machine with:
libtoolize (GNU libtool) 2.4.2
But the source of the latest version 2.4.6 shows the same problem.
--
Vincent Lefèvre <vincent@HIDDEN> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
X-Loop: help-debbugs@HIDDEN
Subject: bug#21951: [security] libtoolize behavior depends on parent directories
Resent-From: Vincent Lefevre <vincent@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-libtool@HIDDEN
Resent-Date: Sat, 06 Aug 2016 17:10:02 +0000
Resent-Message-ID: <handler.21951.B21951.147050339012981 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 21951
X-GNU-PR-Package: libtool
X-GNU-PR-Keywords:
To: 21951 <at> debbugs.gnu.org, 805454@HIDDEN
Received: via spool by 21951-submit <at> debbugs.gnu.org id=B21951.147050339012981
(code B ref 21951); Sat, 06 Aug 2016 17:10:02 +0000
Received: (at 21951) by debbugs.gnu.org; 6 Aug 2016 17:09:50 +0000
Received: from localhost ([127.0.0.1]:58118 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1bW56b-0003NJ-Qj
for submit <at> debbugs.gnu.org; Sat, 06 Aug 2016 13:09:49 -0400
Received: from ioooi.vinc17.net ([92.243.22.117]:58087)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <vincent@HIDDEN>) id 1bW56Z-0003N9-0A
for 21951 <at> debbugs.gnu.org; Sat, 06 Aug 2016 13:09:48 -0400
Received: from smtp-zira.vinc17.net (128.119.75.86.rev.sfr.net [86.75.119.128])
by ioooi.vinc17.net (Postfix) with ESMTPSA id 5AA4669B;
Sat, 6 Aug 2016 19:09:45 +0200 (CEST)
Received: by zira.vinc17.org (Postfix, from userid 1000)
id 34F73C25C66; Sat, 6 Aug 2016 19:09:45 +0200 (CEST)
Date: Sat, 6 Aug 2016 19:09:45 +0200
From: Vincent Lefevre <vincent@HIDDEN>
Message-ID: <20160806170945.GA7066@HIDDEN>
References: <20151118110558.GA26362@HIDDEN>
<20151118110937.GG6417@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20151118110937.GG6417@HIDDEN>
X-Mailer-Info: https://www.vinc17.net/mutt/
User-Agent: Mutt/1.6.2-6749-vl-r90618 (2016-08-02)
X-Spam-Score: -1.2 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.2 (-)
Could this bug be eventually fixed?
One can compromise other users' account for those who run things
from /tmp subdirectories, e.g.
User1:
echo "echo Hacked >> ~/.profile" > /tmp/install-sh
chmod 755 /tmp/install-sh
cp /tmp/install-sh /tmp/config.guess
User2:
* Have some libtool-based source in /tmp/some_dir
* From this directory, run:
autoreconf -i
./configure
The consequence is that User2 has "Hacked" written at the end of
his .profile file. Of course, one can do much worse...
--
Vincent Lefèvre <vincent@HIDDEN> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.