| Anonymous | Login | Signup for a new account | 2010-02-09 02:49 EST |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0008083 | [GCC-XML] | minor | always | 2008-11-12 15:34 | 2009-09-22 09:17 | ||||
| Reporter | Craig_G | View Status | public | ||||||
| Assigned To | brad.king | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | ||||||||
| Summary | 0008083: MIPSpro/find_flags symlink attack vector (CVE-2008-4957) | ||||||||
| Description |
CVE-2008-4957 Published: 05-11-2008 Updated: 07-11-2008 Product: gccxml: gccxml 0.9.0 Severity: Medium (6.9) CVSS vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) Attack`s vector: Localy exploitable Potential loss type: Integrity, Confidentiality, Availability Vulnerability description: find_flags in gccxml 0.9.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/*.cxx temporary file. There are more issues: Sun/find_flags: cat > "/tmp/gccxml_identify_compiler$GCCXML_PID.cc" <<! gccxml_find_flags: cat > "/tmp/gccxml_identify_compiler$GCCXML_PID.cc" <<! |
||||||||
| Additional Information | These are confirmed to work, there is a suggested fix in: https://bugs.gentoo.org/show_bug.cgi?id=245765 [^] | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0014094) brad.king (manager) 2008-11-12 15:42 |
The fix suggested there is also shot down. How can I generate a unique, unpredictable temp file with a .cc extension from a shell script on SGI? |
|
(0014351) brad.king (manager) 2008-12-15 15:28 |
I think the problem is only in Support/gccxml_find_flags and not Support/*/find_flags I've committed a fix to the former: /cvsroot/GCC_XML/gccxml/GCC_XML/Support/gccxml_find_flags,v <-- GCC_XML/Support/gccxml_find_flags new revision: 1.4; previous revision: 1.3 /cvsroot/GCC_XML/gccxml/GCC_XML/Support/gccxml_identify_compiler.cc,v <-- GCC_XML/Support/gccxml_identify_compiler.cc initial revision: 1.1 which avoids executing code out of /tmp altogether. However, I do not see any problem with the latter (per-compiler find_flags scripts). They just perform string processing. I would be happy to use a more random way to generate the /tmp file names in the other scripts if someone can tell me what is SGI's equivalent of 'mktemp'. |
|
(0017694) brad.king (manager) 2009-09-22 08:55 |
The problem in MIPSpro/find_flags was never fixed. It was reported again in Debian's tracker: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496391 [^] The real problem is that while the script only performs string processing, the results are passed as command-line arguments later. This enables the standard back-tick evaluation attack. |
|
(0017695) brad.king (manager) 2009-09-22 09:16 |
I've committed a fix for the MIPSpro script: Teach MIPSpro/find_flags to avoid working in /tmp /cvsroot/GCC_XML/gccxml/GCC_XML/Support/MIPSpro/find_flags,v <-- GCC_XML/Support/MIPSpro/find_flags new revision: 1.6; previous revision: 1.5 /cvsroot/GCC_XML/gccxml/GCC_XML/Support/MIPSpro/mipspro_defs.cxx,v <-- GCC_XML/Support/MIPSpro/mipspro_defs.cxx initial revision: 1.1 |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2008-11-12 15:34 | Craig_G | New Issue | |
| 2008-11-12 15:42 | brad.king | Note Added: 0014094 | |
| 2008-12-15 15:28 | brad.king | Note Added: 0014351 | |
| 2008-12-15 15:29 | brad.king | Status | new => closed |
| 2008-12-15 15:29 | brad.king | Resolution | open => fixed |
| 2009-09-22 08:45 | brad.king | Status | closed => assigned |
| 2009-09-22 08:45 | brad.king | Assigned To | => brad.king |
| 2009-09-22 08:55 | brad.king | Note Added: 0017694 | |
| 2009-09-22 09:16 | brad.king | Note Added: 0017695 | |
| 2009-09-22 09:17 | brad.king | Status | assigned => closed |
| Mantis 1.1.4[^] Copyright © 2000 - 2008 Mantis Group |  |
