Bug 152666

Summary: Symlink Vulnerability in GNU libtool <1.5.2
Product: [Retired] Fedora Legacy Reporter: Jesse Keating <jkeating>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rostetter
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:23:16 UTC 
The chmod has a race (that access to the temporary directory could be gained
after it is created but before it is chmoded).  There are patches out there, see:
http://www.redhat.com/archives/fedora-legacy-list/2004-February/msg00109.html



------- Additional Comments From jkeating 2004-02-08 09:26:00 ----

I'll be building this today.



------- Additional Comments From jkeating 2004-02-08 12:04:47 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
I've rebuild the 7.2-8.0 packages with this patch, although I had to
slightly modify the patch to use $mkdir -p rather than just $mkdir.
This is due to another patch that Red Hat includes that uses mktemp.
 
Patch:
http://geek.j2solutions.net/rpms/legacy/libtool/libtool-1.4-symlinkfix.patch
 
RH 7.2:
http://geek.j2solutions.net/rpms/legacy/libtool/7.2/libtool-1.4-9.legacy.src.rpm
http://geek.j2solutions.net/rpms/legacy/libtool/7.2/libtool-1.4-9.legacy.i386.rpm
http://geek.j2solutions.net/rpms/legacy/libtool/7.2/libtool-libs-1.4-9.legacy.i386.rpm
 
RH 7.3:
http://geek.j2solutions.net/rpms/legacy/libtool/7.3/libtool-1.4.2-13.legacy.src.rpm
http://geek.j2solutions.net/rpms/legacy/libtool/7.3/libtool-1.4.2-13.legacy.i386.rpm
http://geek.j2solutions.net/rpms/legacy/libtool/7.3/libtool-libs-1.4.2-13.legacy.i386.rpm
 
RH 8.0:
http://geek.j2solutions.net/rpms/legacy/libtool/8.0/libtool-1.4.2-14.legacy.src.rpm
http://geek.j2solutions.net/rpms/legacy/libtool/8.0/libtool-1.4.2-14.legacy.i386.rpm
http://geek.j2solutions.net/rpms/legacy/libtool/8.0/libtool-libs-1.4.2-14.legacy.i386.rpm
 
sha1sums:
http://geek.j2solutions.net/rpms/legacy/libtool/sha1sums
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFAJrT04v2HLvE71NURAog+AJ0QBfEVNLBjK3oNZTBhiUTONQ/OtACgjMe+
8IPzEdI/VMSPelTlsdzr1OQ=
=RdbX
-----END PGP SIGNATURE-----



------- Additional Comments From michal 2004-02-08 14:24:08 ----

WORKSFORME on RH73 (and libtool-1.3.5 with the same fix on RH71).
In particular it can be used to recreate rpms of itself.  The fix
is quite trivial anyway.



------- Additional Comments From bugs.michael 2004-02-08 14:43:19 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

rh73: ++PUBLISH

fc6c71b560cec26ada717c3be9ffd79a  libtool-1.4.2-13.legacy.src.rpm
22e8f4c88613aa9040c5a655a12ec4ce  libtool-1.4-symlinkfix.patch

* sources have not changed
* src.rpm has good signature
* diff against 1.4.2-7 src.rpm looks good
* builds, upgrades/installs and erases fine (rh73)
* missing autotools warnings are harmless
* disabled "make check" passes all tests

* fix is syntactically and semantically correct
* patch has been reviewed: With default configuration, libtool from
  Red Hat Linux is modified to run mktemp to create the temporary
  directory safely. The security fix is only necessary for the case
  that mktemp would fail.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAJtna0iMVcrivHFQRAnJbAJ4uFfuAPd2vkrAH6qCqiMevV9PJLQCfe7BA
MxEx43H+qXnJRNWpnpSnYb4=
=pf7v
-----END PGP SIGNATURE-----




------- Additional Comments From bugs.michael 2004-02-08 14:53:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(I'm lame, MD5 instead of SHA1 in previous comment)

SHA1:

b50554090e9b35392c2be5188461a586d6065cb9  libtool-1.4.2-13.legacy.src.rpm
8fa24d21e6449e710387900b8902a85c2835aaca  libtool-1.4-symlinkfix.patch

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAJtxW0iMVcrivHFQRAhLvAJ9M/fY9TRH48XnzDnPyDaZTiXMBXACfUUtU
JGVatoaBJl5I/a0+kQRzq30=
=262U
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-03-04 18:54:07 ----

Pushed to updates-testing.



------- Additional Comments From jpdalbec 2004-03-10 07:28:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH 7.3

705a844d64e11e4c7d13d70e2b7957bbb403a33f  libtool-1.4.2-13.legacy.i386.rpm
815821f416de6969939854dfa1a9215a93408040  libtool-libs-1.4.2-13.legacy.i386.rpm
a27699e22525617ba294320adaa58838bb7a6535  metamail-2.7-29.7.x.legacy.i386.rpm

* ldd output matches for all packages
* metamail passes basic functional tests (mimencode, attachment extraction)

I got a strange message from metamail, but it looks like this was caused by
the fact that wvHtml modifies /etc/mailcap on installation, but doesn't remove
the changes on uninstallation.
metamail output:
- ---
This message contains 'application/msword'-format data.
Do you want to view it using the 'mm.dWwOqN"' command (y/n) [y] ? n
- ---
/etc/mailcap entry:
- ---
application/msword; ns="%s"; tmp=`mktemp -q /tmp/${ns}.XXXXXX`; \
    /usr/bin/wvHtml "${ns}" -o ${tmp}; \
    netscape "file:${tmp}"; /bin/rm -f "${tmp}"
- ---
I guess the "command" string is coming from "file:${tmp}"?

* shadow-utils RPM builds OK with new libtool package - it uses libtoolize,
  --mode=compile, --mode=link, and --mode=install.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAT1AUJL4A+ldA7asRAp6QAJ0Z71bfwTThwdF/3wzPgjpUoVx4UACguK+w
u8TdSM6Mbaw6iT0CG7x+m7U=
=3J6N
-----END PGP SIGNATURE-----




------- Additional Comments From jpdalbec 2004-03-29 08:48:38 ----

Created an attachment (id=612)
libtool summary file differences

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH 8.0

96d900b337cab85040da9062593a43fee24849c1 libtool-1.4.2-14.legacy.i386.rpm
e39aa95f8a3a643bb9d5ea707b11b65868a2e3b7 libtool-libs-1.4.2-14.legacy.i386.rpm

* shadow-utils builds OK
* no ldd differences
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAaG8jJL4A+ldA7asRAtDPAJ9DzPdLfxEV2UT54tujJQ42BQzfXQCffiKR
zkDZK55XHk6krjj4mkw13mk=
=S6PH
-----END PGP SIGNATURE-----




------- Additional Comments From rostetter.edu 2004-04-05 11:01:00 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I downloaded and installed the RH 8.0 updates-testing rpms for
openssl (i686), openssl-devel, libtool, and libtool-libs.
 
I've not tested the libtool stuff heavily, but in limited testing
I've seen no problems.
 
The openssl stuff is taking a beating (https, pop3/ssl, imap/ssl,
ssh, etc on a very busy system) and is holding up fine with no
problems seen.
 
My vote is to publish these packages RH 8.0 asap.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFAccgm4jZRbknHoPIRAkChAJ9jcJKF6ai3jASh4OtbtGjsTlmVZwCeIDyE
tqvl9To3p9mWuZCTmhQrEmg=
=+jKC
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1268 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1268
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
libtool summary file differences
https://bugzilla.fedora.us/attachment.cgi?action=view&id=612

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity minor. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.