[FYI] {maint} distcheck: never make part of $(distdir) world-writable

automake-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] {maint} distcheck: never make part of $(distdir) world-writable

From:	Stefano Lattarini
Subject:	[FYI] {maint} distcheck: never make part of $(distdir) world-writable
Date:	Mon, 9 Jul 2012 18:14:58 +0200

This fixes a locally-exploitable security vulnerability (CVE-2012-3386).

In the 'distcheck' rule, we used to make the just-extracted (from
the distribution tarball) $(distdir) directory and all its files and
subdirectories read-only; then, in order to create the '_inst' and
'_build' subdirectories in there (used by the rest of the recipe) we
made the top-level $(distdir) *world-writable* for an instant (the
time to create those two directories) before making it read-only
again.

Making that directory world-writable (albeit only briefly) introduced a
locally exploitable race condition for those who run "make distcheck" with
a non-restrictive umask (e.g., 022) in a directory that is accessible by
others.  A successful exploit would result in arbitrary code execution
with the privileges of the user running "make distcheck" -- game over.
Jim Meyering wrote a proof-of-concept script showing that such exploit is
easily implemented.

This issue is similar to the CVE-2009-4029 vulnerability:
<http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html>

* lib/am/distdir.am (distcheck): Don't make $(distdir) world-writable,
not even for an instant; make it user-writable instead, which is enough.

Helped-By: Jim Meyering <address@hidden>
Signed-off-by: Stefano Lattarini <address@hidden>
---
 NEWS              |    9 +++++++++
 lib/am/distdir.am |    2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index ee16961..4975e8e 100644
--- a/NEWS
+++ b/NEWS
@@ -92,6 +92,15 @@ New in 1.12.2:
 
 Bugs fixed in 1.12.2:
 
+* SECURITY VULNERABILITIES!
+
+  - The recipe of the 'distcheck' no longer grants anymore temporary
+    world-wide write permissions on the extracted distdir.  Even if such
+    rights were only granted for a vanishingly small time window, the
+    implied race condition proved to be enough to allow a local attacker
+    to run arbitrary code with the privileges of the user running "make
+    distcheck".  This is CVE-2012-3386.
+
 * Long-standing bugs:
 
   - The "recheck" targets behaves better in the face of build failures
diff --git a/lib/am/distdir.am b/lib/am/distdir.am
index e27b650..f636a1e 100644
--- a/lib/am/distdir.am
+++ b/lib/am/distdir.am
@@ -449,7 +449,7 @@ distcheck: dist
 ## Make the new source tree read-only.  Distributions ought to work in
 ## this case.  However, make the top-level directory writable so we
 ## can make our new subdirs.
-       chmod -R a-w $(distdir); chmod a+w $(distdir)
+       chmod -R a-w $(distdir); chmod u+w $(distdir)
        mkdir $(distdir)/_build
        mkdir $(distdir)/_inst
 ## Undo the write access.
-- 
1.7.9.5

[Prev in Thread]

Current Thread

[Next in Thread]

[FYI] {maint} distcheck: never make part of $(distdir) world-writable, Stefano Lattarini <=
- Re: [FYI] {maint} distcheck: never make part of $(distdir) world-writable, Jim Meyering, 2012/07/09

Prev by Date: Re: GNU Automake 1.12.1 released
Next by Date: [FYI] {maint} release: stable release 1.12.2
Previous by thread: [PATCH] {maint} fixup: t/README: it's ./runtest, not ./t/ax/runtest
Next by thread: Re: [FYI] {maint} distcheck: never make part of $(distdir) world-writable
Index(es):
- Date
- Thread