View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008083GCC-XMLpublic2008-11-12 15:342009-09-22 09:17
ReporterCraig_G 
Assigned ToBrad King 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Summary0008083: MIPSpro/find_flags symlink attack vector (CVE-2008-4957)
DescriptionCVE-2008-4957

Published: 05-11-2008
Updated: 07-11-2008

Product:
gccxml: gccxml 0.9.0

Severity: Medium (6.9)

CVSS vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Attack`s vector: Localy exploitable

Potential loss type: Integrity, Confidentiality, Availability

Vulnerability description:
find_flags in gccxml 0.9.0 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/*.cxx temporary file.


There are more issues:

Sun/find_flags:
cat > "/tmp/gccxml_identify_compiler$GCCXML_PID.cc" <<!

gccxml_find_flags:
cat > "/tmp/gccxml_identify_compiler$GCCXML_PID.cc" <<!
Additional InformationThese are confirmed to work, there is a suggested fix in: https://bugs.gentoo.org/show_bug.cgi?id=245765 [^]
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0014094)
Brad King (manager)
2008-11-12 15:42

The fix suggested there is also shot down. How can I generate a unique, unpredictable temp file with a .cc extension from a shell script on SGI?
(0014351)
Brad King (manager)
2008-12-15 15:28

I think the problem is only in

  Support/gccxml_find_flags

and not

  Support/*/find_flags

I've committed a fix to the former:

/cvsroot/GCC_XML/gccxml/GCC_XML/Support/gccxml_find_flags,v <-- GCC_XML/Support/gccxml_find_flags
new revision: 1.4; previous revision: 1.3
/cvsroot/GCC_XML/gccxml/GCC_XML/Support/gccxml_identify_compiler.cc,v <-- GCC_XML/Support/gccxml_identify_compiler.cc
initial revision: 1.1

which avoids executing code out of /tmp altogether.

However, I do not see any problem with the latter (per-compiler find_flags scripts). They just perform string processing.

I would be happy to use a more random way to generate the /tmp file names in the other scripts if someone can tell me what is SGI's equivalent of 'mktemp'.
(0017694)
Brad King (manager)
2009-09-22 08:55

The problem in MIPSpro/find_flags was never fixed.
It was reported again in Debian's tracker:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496391 [^]

The real problem is that while the script only performs string processing, the results are passed as command-line arguments later. This enables the standard back-tick evaluation attack.
(0017695)
Brad King (manager)
2009-09-22 09:16

I've committed a fix for the MIPSpro script:

Teach MIPSpro/find_flags to avoid working in /tmp
/cvsroot/GCC_XML/gccxml/GCC_XML/Support/MIPSpro/find_flags,v <-- GCC_XML/Support/MIPSpro/find_flags
new revision: 1.6; previous revision: 1.5
/cvsroot/GCC_XML/gccxml/GCC_XML/Support/MIPSpro/mipspro_defs.cxx,v <-- GCC_XML/Support/MIPSpro/mipspro_defs.cxx
initial revision: 1.1

- Issue History
Date Modified Username Field Change
2008-11-12 15:34 Craig_G New Issue
2008-11-12 15:42 Brad King Note Added: 0014094
2008-12-15 15:28 Brad King Note Added: 0014351
2008-12-15 15:29 Brad King Status new => closed
2008-12-15 15:29 Brad King Resolution open => fixed
2009-09-22 08:45 Brad King Status closed => assigned
2009-09-22 08:45 Brad King Assigned To => Brad King
2009-09-22 08:55 Brad King Note Added: 0017694
2009-09-22 09:16 Brad King Note Added: 0017695
2009-09-22 09:17 Brad King Status assigned => closed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker