Bug#789404: pbuilder: insecure use of /tmp
Mattia Rizzolo
mattia at mapreri.org
Tue Aug 4 07:41:04 UTC 2015
On Sat, Jun 20, 2015 at 05:04:03PM +0200, Jakub Wilk wrote:
> pbuilder builds the package in $BUILDPLACE/tmp/buildd. But $BUILDPLACE/tmp
> is normally world-writable, and pbuilder doesn't fail if the buildd direcory
> already exists:
>
> mkdir -p "$BUILDPLACE/tmp/buildd"
>
> There's a race window between unpacking base.tgz and the mkdir call when
> malicious local user could create their own $BUILDPLACE/tmp/buildd. Owning
> the buildd directory would let them tamper with the build process.
>
> Alternatively, the attacker could exploit #789401 to plant tmp/buildd
> directly in base.tgz.
I think I'm going to solve both this and #789401 by making /tmp/buildd
configurable (so people wanting /tmp/buildd can still have it) and defaulting
to another place, maybe the one used by sbuild (/buildd iirc)
Does this sounds sane enough?
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: http://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20150804/9b553d4a/attachment.sig>
More information about the Pbuilder-maint
mailing list