Mantis - GCC-XML
Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
8083 minor always 2008-11-12 15:34 2009-09-22 09:17
Reporter: Craig_G Platform:  
Assigned To: Brad King OS:  
Priority: normal OS Version:  
Status: closed Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
Summary: 0008083: MIPSpro/find_flags symlink attack vector (CVE-2008-4957)
Description: CVE-2008-4957

Published: 05-11-2008
Updated: 07-11-2008

Product:
gccxml: gccxml 0.9.0

Severity: Medium (6.9)

CVSS vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Attack`s vector: Localy exploitable

Potential loss type: Integrity, Confidentiality, Availability

Vulnerability description:
find_flags in gccxml 0.9.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/*.cxx temporary file.


There are more issues:

Sun/find_flags:
cat > "/tmp/gccxml_identify_compiler$GCCXML_PID.cc" <<!

gccxml_find_flags:
cat > "/tmp/gccxml_identify_compiler$GCCXML_PID.cc" <<!
Steps To Reproduce:
Additional Information: These are confirmed to work, there is a suggested fix in: https://bugs.gentoo.org/show_bug.cgi?id=245765 [^]
Relationships
Attached Files:
Issue History
Date Modified Username Field Change
2008-11-12 15:34 Craig_G New Issue
2008-11-12 15:42 Brad King Note Added: 0014094
2008-12-15 15:28 Brad King Note Added: 0014351
2008-12-15 15:29 Brad King Status new => closed
2008-12-15 15:29 Brad King Resolution open => fixed
2009-09-22 08:45 Brad King Status closed => assigned
2009-09-22 08:45 Brad King Assigned To => Brad King
2009-09-22 08:55 Brad King Note Added: 0017694
2009-09-22 09:16 Brad King Note Added: 0017695
2009-09-22 09:17 Brad King Status assigned => closed

Notes
(0014094)
Brad King   
2008-11-12 15:42   
The fix suggested there is also shot down. How can I generate a unique, unpredictable temp file with a .cc extension from a shell script on SGI?
(0014351)
Brad King   
2008-12-15 15:28   
I think the problem is only in

  Support/gccxml_find_flags

and not

  Support/*/find_flags

I've committed a fix to the former:

/cvsroot/GCC_XML/gccxml/GCC_XML/Support/gccxml_find_flags,v <-- GCC_XML/Support/gccxml_find_flags
new revision: 1.4; previous revision: 1.3
/cvsroot/GCC_XML/gccxml/GCC_XML/Support/gccxml_identify_compiler.cc,v <-- GCC_XML/Support/gccxml_identify_compiler.cc
initial revision: 1.1

which avoids executing code out of /tmp altogether.

However, I do not see any problem with the latter (per-compiler find_flags scripts). They just perform string processing.

I would be happy to use a more random way to generate the /tmp file names in the other scripts if someone can tell me what is SGI's equivalent of 'mktemp'.
(0017694)
Brad King   
2009-09-22 08:55   
The problem in MIPSpro/find_flags was never fixed.
It was reported again in Debian's tracker:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496391 [^]

The real problem is that while the script only performs string processing, the results are passed as command-line arguments later. This enables the standard back-tick evaluation attack.
(0017695)
Brad King   
2009-09-22 09:16   
I've committed a fix for the MIPSpro script:

Teach MIPSpro/find_flags to avoid working in /tmp
/cvsroot/GCC_XML/gccxml/GCC_XML/Support/MIPSpro/find_flags,v <-- GCC_XML/Support/MIPSpro/find_flags
new revision: 1.6; previous revision: 1.5
/cvsroot/GCC_XML/gccxml/GCC_XML/Support/MIPSpro/mipspro_defs.cxx,v <-- GCC_XML/Support/MIPSpro/mipspro_defs.cxx
initial revision: 1.1