Bug#789404: pbuilder: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Wed Aug 5 11:33:43 UTC 2015
* Mattia Rizzolo <mattia at mapreri.org>, 2015-08-04, 07:41:
>>pbuilder builds the package in $BUILDPLACE/tmp/buildd. But
>>$BUILDPLACE/tmp is normally world-writable, and pbuilder doesn't fail
>>if the buildd direcory already exists:
>>
>> mkdir -p "$BUILDPLACE/tmp/buildd"
>>
>>There's a race window between unpacking base.tgz and the mkdir call
>>when malicious local user could create their own
>>$BUILDPLACE/tmp/buildd. Owning the buildd directory would let them
>>tamper with the build process.
>>
>>Alternatively, the attacker could exploit #789401 to plant tmp/buildd
>>directly in base.tgz.
>
>I think I'm going to solve both this and #789401 by making /tmp/buildd
>configurable
Right. Moving the build directory outside /tmp will should fix this bug.
I don't see how changing it can fix #789401, though.
>and defaulting to another place, maybe the one used by sbuild (/buildd
>iirc)
It's "/build" (with a single "d").
--
Jakub Wilk
More information about the Pbuilder-maint
mailing list