Bug#911877: crossroads: package build vulnerable to /tmp
Source: crossroads
Version: 2.81-2
Severity: serious
Tags: security
crossroads's xr/Makefile has:
| $(BINDIR)/xr: $(BIN)
| cp $(BIN) $(TMPXR)
| install $(TMPXR) $(BINDIR)/xr
| rm -f $(TMPXR)
where
| TMPXR = /tmp/xr-$(shell whoami)
Jakub Wilk observed that a malicious user could create /tmp/xr-root as a
directory with mode 777 and replace the directory with an arbitrary file
after the cp (via inotify) thus injecting an arbitrary binary into the
build.
Helmut
Reply to: