1140725 – automake: insecure use of /tmp in install-sh

Bug 1140725 - automake: insecure use of /tmp in install-sh

Summary: automake: insecure use of /tmp in install-sh

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1140728
TreeView+	depends on / blocked

Reported:	2014-09-11 14:27 UTC by Vasyl Kaigorodov
Modified:	2019-09-29 13:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-21 23:45:29 UTC
Embargoed:

Attachments	(Terms of Use)
Firstly create the test directory, then check for mkdir -p (2.81 KB, patch) 2014-09-12 12:51 UTC, Pavel Raiskup	no flags	Details \| Diff
View All

Description Vasyl Kaigorodov 2014-09-11 14:27:12 UTC

It was discovered [1] that there's an issue in how automake handles temp directories.

When the destination directory does not exist, install-sh checks if 
"mkdir -p" works, but it does so in an insecure way. Here are the 
relevant parts of the code:

mkdirprog=${MKDIRPROG-mkdir}
# ...
	    tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
	    trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0

	    if (umask $mkdir_umask &&
		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
	    then
# ...
	      rmdir "$tmpdir/d" "$tmpdir"
	    else
# ...

In some shells (such as dash) $RANDOM is not set, so $tmpdir is easily 
predictable. Moreover, "mkdir -p" follows symlinks to existing 
directories. Local attacker can exploit this to create or remove empty 
directories named "d". (But on modern Linux systems this is mitigated by 
the protected_symlinks feature.)

Same code exists in RHEL6 and RHEL7 versions of automake.
Default shell is bash in RHEL, so this is Low priority issue.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760455

Comment 1 Pavel Raiskup 2014-09-12 12:51:12 UTC

Created attachment 936942 [details]
Firstly create the test directory, then check for mkdir -p

Thanks for forwarding this bug report.  Would attached patch resolve your
concerns?  I'll forward this discussion upstream afterwards.  Note that
as this is in automake from cca 2006, applying this downstream only would
result just only in unnecessary risk.

Why I think the fix should be OK:

- this is all about low prio check, if attacker is able to guess the test
  directory, we simply fail the check and install-sh is not going to use
  'mkdir -p' (will step-by-step directory creation)

- once $tmpdir is created, we know that nobody should be able to write to that
  directory (note the $mkdir_umask) and create nasty symlinks or whatever

- using $RANDOM now should not hurt even in dash - when $RANDOM is empty (or
  having some non-random value), it just increases the chance of collision

- sadly, another process (mkdir) was needed

Thanks for any comments,
Pavel

Comment 2 jwilk 2014-11-17 19:46:11 UTC

Original reporter here.
The patch looks good to me, thanks!

Comment 5 Pavel Raiskup 2015-04-30 08:19:21 UTC

Upstream proposal:
http://www.mail-archive.com/automake-patches@gnu.org/msg07704.html

Note You need to log in before you can comment on or make changes to this bug.