Menu

#172 libopts build hardcodes /tmp/ path which is a security issue

autogen
closed
Bruce Korb
None
1
2015-11-23
2015-11-23
Mike Frysinger
No

the autoopts Makefile.am will always create a libopts tarball which invokes the pkg/libopts/mklibsrc.sh script which in turn has a hardcoded path:
exec 2> /tmp/mklibsrc-log.tx

this is a security issue: if someone else creates a symlink there, it could be used to clobber arbitrary files. it should be deleted altogether, or use mktemp, or write the output to the same place as the tarball.

reported here:
https://bugs.gentoo.org/show_bug.cgi?id=563352

Discussion

  • Mike Frysinger

    Mike Frysinger - 2015-11-23

    hmm, looks like this was fixed in commit f303a1d5d8d8e002974eb64818f74041325f2433, but hasn't made it into a release yet

     

  • Bruce Korb

    Bruce Korb - 2015-11-23

    Hmm. Looks like I'll just close this as "works for me".

     

  • Bruce Korb

    Bruce Korb - 2015-11-23
    • status: open --> closed
    • assigned_to: Bruce Korb
     

  • Mike Frysinger

    Mike Frysinger - 2015-11-23

    you probably want to cut a new release and add a NEWS/ChangeLog entry noting the versions with this security issue in it. as it stands, building the latest versions on a shared system is unsafe.

     

  • Bruce Korb

    Bruce Korb - 2015-11-23

    OK. It was obviously dinkleberry debug stuff that ought to have been removed years ago....

     

Log in to post a comment.