Bug#911877: crossroads: package build vulnerable to /tmp

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#911877: crossroads: package build vulnerable to /tmp
From: Helmut Grohne <helmut@subdivi.de>
Date: Thu, 25 Oct 2018 20:26:34 +0200
Message-id: <[🔎] 20181025182633.GA12204@alf.mars>
Reply-to: Helmut Grohne <helmut@subdivi.de>, 911877@bugs.debian.org

Source: crossroads
Version: 2.81-2
Severity: serious
Tags: security

crossroads's xr/Makefile has:

| $(BINDIR)/xr: $(BIN)
| 	cp $(BIN) $(TMPXR)
| 	install $(TMPXR) $(BINDIR)/xr
| 	rm -f $(TMPXR)

where

| TMPXR         = /tmp/xr-$(shell whoami)

Jakub Wilk observed that a malicious user could create /tmp/xr-root as a
directory with mode 777 and replace the directory with an arbitrary file
after the cp (via inotify) thus injecting an arbitrary binary into the
build.

Helmut

Reply to:

Prev by Date: Bug#911836: pytest-localserver: autopkgtest needs update for new version of openssl
Next by Date: Processed: tagging 911877
Previous by thread: Bug#911836: pytest-localserver: autopkgtest needs update for new version of openssl
Next by thread: Processed: tagging 911877
Index(es):
- Date
- Thread