Date: Fri, 13 Feb 2004 15:16:03 +0100 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Ade Lovett <ade@FreeBSD.org> Subject: ports/62786: [SECURITY] devel/libtool1[345]: symlink vulnerability Message-ID: <402CDC23.9090703@fillmore-labs.com> Resent-Message-ID: <200402131420.i1DEKFfL008088@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 62786 >Category: ports >Synopsis: [SECURITY] devel/libtool1[345]: symlink vulnerability >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Feb 13 06:20:14 PST 2004 >Closed-Date: >Last-Modified: >Originator: Oliver Eikemeier >Release: FreeBSD 4.9-STABLE i386 >Organization: Fillmore Labs - http://www.fillmore-labs.com >Environment: System: FreeBSD nuuk.fillmore-labs.com 4.9-STABLE >Description: Stefan Nordhausen found a symlink vulnerability in libtool prior to version 1.5.2. Libtool insecurely creates a temporary directory when a package using libtool is being compiled. - update libtool 1.3 to 1.3.5_2 - update libtool 1.4 to 1.4.3_3 - update libtool 1.5 to 1.5.2 - use SIZE and MASTER_SITE_GNU Reference: <http://www.securityfocus.com/archive/1/352333>, fix from <http://www.securityfocus.com/archive/1/352519> >How-To-Repeat: >Fix: Index: devel/libtool13/Makefile =================================================================== RCS file: /home/ncvs/ports/devel/libtool13/Makefile,v retrieving revision 1.31 diff -u -r1.31 Makefile --- devel/libtool13/Makefile 11 Feb 2004 19:14:57 -0000 1.31 +++ devel/libtool13/Makefile 13 Feb 2004 13:37:56 -0000 @@ -7,7 +7,7 @@ PORTNAME= libtool PORTVERSION= 1.3.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_GNU} MASTER_SITE_SUBDIR= libtool Index: devel/libtool13/distinfo =================================================================== RCS file: /home/ncvs/ports/devel/libtool13/distinfo,v retrieving revision 1.5 diff -u -r1.5 distinfo --- devel/libtool13/distinfo 26 Jun 2003 22:58:24 -0000 1.5 +++ devel/libtool13/distinfo 13 Feb 2004 13:47:21 -0000 @@ -1 +1,2 @@ MD5 (libtool-1.3.5.tar.gz) = fa26a07c978ad05d1f88ed7a472daa49 +SIZE (libtool-1.3.5.tar.gz) = 538884 Index: devel/libtool13/files/patch-ad =================================================================== RCS file: /home/ncvs/ports/devel/libtool13/files/patch-ad,v retrieving revision 1.9 diff -u -r1.9 patch-ad --- devel/libtool13/files/patch-ad 26 Jun 2003 22:58:24 -0000 1.9 +++ devel/libtool13/files/patch-ad 13 Feb 2004 13:37:27 -0000 @@ -1,5 +1,5 @@ --- ltmain.sh.orig Sat May 27 07:15:01 2000 -+++ ltmain.sh Fri Dec 13 23:50:12 2002 ++++ ltmain.sh Fri Feb 13 14:36:07 2004 @@ -23,6 +23,9 @@ # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. @@ -234,3 +234,17 @@ finalize=no fi done +@@ -3463,8 +3573,12 @@ + tmpdir="/tmp" + test -n "$TMPDIR" && tmpdir="$TMPDIR" + tmpdir="$tmpdir/libtool-$$" +- if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then : ++ save_umask=`umask` ++ umask 0077 ++ if $mkdir "$tmpdir"; then ++ umask $save_umask + else ++ umask $save_umask + $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2 + continue + fi Index: devel/libtool14/Makefile =================================================================== RCS file: /home/ncvs/ports/devel/libtool14/Makefile,v retrieving revision 1.33 diff -u -r1.33 Makefile --- devel/libtool14/Makefile 11 Feb 2004 19:14:57 -0000 1.33 +++ devel/libtool14/Makefile 13 Feb 2004 13:44:06 -0000 @@ -7,7 +7,7 @@ PORTNAME?= libtool PORTVERSION= 1.4.3 -PORTREVISION?= 2 +PORTREVISION?= 3 CATEGORIES= devel #MASTER_SITES= ${MASTER_SITE_GNU} #MASTER_SITE_SUBDIR= libtool Index: devel/libtool14/distinfo =================================================================== RCS file: /home/ncvs/ports/devel/libtool14/distinfo,v retrieving revision 1.5 diff -u -r1.5 distinfo --- devel/libtool14/distinfo 26 Jun 2003 22:58:24 -0000 1.5 +++ devel/libtool14/distinfo 13 Feb 2004 13:47:09 -0000 @@ -1 +1,2 @@ MD5 (libtool-1.4.3.tar.gz) = d11a3c835449d7fa50a025dc9c01ad81 +SIZE (libtool-1.4.3.tar.gz) = 1164463 Index: devel/libtool14/files/patch-ad =================================================================== RCS file: /home/ncvs/ports/devel/libtool14/files/patch-ad,v retrieving revision 1.9 diff -u -r1.9 patch-ad --- devel/libtool14/files/patch-ad 26 Jun 2003 22:58:25 -0000 1.9 +++ devel/libtool14/files/patch-ad 13 Feb 2004 13:43:44 -0000 @@ -2,7 +2,7 @@ $FreeBSD: ports/devel/libtool14/files/patch-ad,v 1.9 2003/06/26 22:58:25 ade Exp $ --- ltmain.sh.orig Mon Sep 10 22:33:26 2001 -+++ ltmain.sh Wed Jan 23 16:39:22 2002 ++++ ltmain.sh Fri Feb 13 14:41:25 2004 @@ -1062,6 +1062,12 @@ -module) @@ -48,3 +48,17 @@ # Maybe install the static library, too. test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library" +@@ -4414,8 +4414,12 @@ + tmpdir="/tmp" + test -n "$TMPDIR" && tmpdir="$TMPDIR" + tmpdir="$tmpdir/libtool-$$" +- if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then : ++ save_umask=`umask` ++ umask 0077 ++ if $mkdir "$tmpdir"; then ++ umask $save_umask + else ++ umask $save_umask + $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2 + continue + fi Index: devel/libtool15/Makefile =================================================================== RCS file: /home/ncvs/ports/devel/libtool15/Makefile,v retrieving revision 1.33 diff -u -r1.33 Makefile --- devel/libtool15/Makefile 11 Feb 2004 19:14:58 -0000 1.33 +++ devel/libtool15/Makefile 13 Feb 2004 14:04:46 -0000 @@ -6,13 +6,11 @@ # PORTNAME?= libtool -PORTVERSION= 1.5 +PORTVERSION= 1.5.2 PORTREVISION?= 0 CATEGORIES= devel -#MASTER_SITES= ${MASTER_SITE_GNU} -#MASTER_SITE_SUBDIR= libtool -MASTER_SITES= ${MASTER_SITE_LOCAL} -MASTER_SITE_SUBDIR= ade/gnu +MASTER_SITES= ${MASTER_SITE_GNU} +MASTER_SITE_SUBDIR= libtool DISTNAME= libtool-${PORTVERSION} MAINTAINER= ade@FreeBSD.org Index: devel/libtool15/distinfo =================================================================== RCS file: /home/ncvs/ports/devel/libtool15/distinfo,v retrieving revision 1.6 diff -u -r1.6 distinfo --- devel/libtool15/distinfo 2 Jul 2003 18:26:53 -0000 1.6 +++ devel/libtool15/distinfo 13 Feb 2004 13:46:50 -0000 @@ -1 +1,2 @@ -MD5 (libtool-1.5.tar.gz) = 0e1844f25e2ad74c3715b5776d017545 +MD5 (libtool-1.5.2.tar.gz) = db66ba05502f533ad0cfd84dc0e03bd5 +SIZE (libtool-1.5.2.tar.gz) = 2653072 Index: devel/libtool15/files/patch-ab =================================================================== RCS file: /home/ncvs/ports/devel/libtool15/files/patch-ab,v retrieving revision 1.5 diff -u -r1.5 patch-ab --- devel/libtool15/files/patch-ab 2 Jul 2003 18:26:53 -0000 1.5 +++ devel/libtool15/files/patch-ab 13 Feb 2004 13:57:57 -0000 @@ -1,54 +1,86 @@ ---- doc/Makefile.in.orig Mon Apr 14 17:29:22 2003 -+++ doc/Makefile.in Fri Apr 18 20:22:58 2003 -@@ -93,3 +93,3 @@ - LTLIBOBJS = @LTLIBOBJS@ --MAKEINFO = @MAKEINFO@ -+MAKEINFO = @MAKEINFO@ --no-split - NM = @NM@ -@@ -160,4 +160,4 @@ - AUTOMAKE_OPTIONS = gnits --info_TEXINFOS = libtool.texi --libtool_TEXINFOS = PLATFORMS fdl.texi -+info_TEXINFOS = libtool15.texi -+libtool15_TEXINFOS = PLATFORMS fdl.texi +--- doc/Makefile.in.orig Sun Jan 25 13:36:36 2004 ++++ doc/Makefile.in Fri Feb 13 14:57:56 2004 +@@ -34,7 +34,7 @@ + POST_UNINSTALL = : + host_triplet = @host@ subdir = doc -@@ -167,8 +167,8 @@ +-DIST_COMMON = $(libtool_TEXINFOS) $(srcdir)/Makefile.am \ ++DIST_COMMON = $(libtool15_TEXINFOS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in $(srcdir)/stamp-vti \ + $(srcdir)/version.texi mdate-sh texinfo.tex + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +@@ -46,13 +46,13 @@ + CONFIG_CLEAN_FILES = + SOURCES = + DIST_SOURCES = +-INFO_DEPS = $(srcdir)/libtool.info ++INFO_DEPS = $(srcdir)/libtool15.info am__TEXINFO_TEX_DIR = $(srcdir) --INFO_DEPS = libtool.info -DVIS = libtool.dvi -PDFS = libtool.pdf -PSS = libtool.ps +-HTMLS = libtool.html -TEXINFOS = libtool.texi --DIST_COMMON = $(libtool_TEXINFOS) Makefile.am Makefile.in mdate-sh \ -+INFO_DEPS = libtool15.info +DVIS = libtool15.dvi +PDFS = libtool15.pdf +PSS = libtool15.ps ++HTMLS = libtool15.html +TEXINFOS = libtool15.texi -+DIST_COMMON = $(libtool15_TEXINFOS) Makefile.am Makefile.in mdate-sh \ - stamp-vti texinfo.tex version.texi -@@ -207,9 +207,9 @@ - $(TEXI2PDF) `test -f '$<' || echo '$(srcdir)/'`$< --libtool.info: libtool.texi version.texi $(libtool_TEXINFOS) --libtool.dvi: libtool.texi version.texi $(libtool_TEXINFOS) --libtool.pdf: libtool.texi version.texi $(libtool_TEXINFOS) -+libtool15.info: libtool15.texi version.texi $(libtool15_TEXINFOS) -+libtool15.dvi: libtool15.texi version.texi $(libtool15_TEXINFOS) -+libtool15.pdf: libtool15.texi version.texi $(libtool15_TEXINFOS) - version.texi: stamp-vti --stamp-vti: libtool.texi $(top_srcdir)/configure + TEXI2DVI = texi2dvi + TEXI2PDF = $(TEXI2DVI) --pdf --batch + MAKEINFOHTML = $(MAKEINFO) --html +@@ -116,7 +116,7 @@ + LIBTOOL = @LIBTOOL@ + LN_S = @LN_S@ + LTLIBOBJS = @LTLIBOBJS@ +-MAKEINFO = @MAKEINFO@ ++MAKEINFO = @MAKEINFO@ --no-split + NM = @NM@ + OBJDUMP = @OBJDUMP@ + OBJEXT = @OBJEXT@ +@@ -183,8 +183,8 @@ + sysconfdir = @sysconfdir@ + target_alias = @target_alias@ + AUTOMAKE_OPTIONS = gnits +-info_TEXINFOS = libtool.texi +-libtool_TEXINFOS = PLATFORMS fdl.texi ++info_TEXINFOS = libtool15.texi ++libtool15_TEXINFOS = PLATFORMS fdl.texi + all: all-am + + .SUFFIXES: +@@ -268,14 +268,14 @@ + -o $@ $< + if test ! -d $@ && test -d $(@:.html=); then \ + mv $(@:.html=) $@; else :; fi +-$(srcdir)/libtool.info: libtool.texi $(srcdir)/version.texi $(libtool_TEXINFOS) +-libtool.dvi: libtool.texi $(srcdir)/version.texi $(libtool_TEXINFOS) +-libtool.pdf: libtool.texi $(srcdir)/version.texi $(libtool_TEXINFOS) +-libtool.html: libtool.texi $(srcdir)/version.texi $(libtool_TEXINFOS) ++$(srcdir)/libtool15.info: libtool15.texi $(srcdir)/version.texi $(libtool15_TEXINFOS) ++libtool15.dvi: libtool15.texi $(srcdir)/version.texi $(libtool15_TEXINFOS) ++libtool15.pdf: libtool15.texi $(srcdir)/version.texi $(libtool15_TEXINFOS) ++libtool15.html: libtool15.texi $(srcdir)/version.texi $(libtool15_TEXINFOS) + $(srcdir)/version.texi: $(srcdir)/stamp-vti +-$(srcdir)/stamp-vti: libtool.texi $(top_srcdir)/configure - @(dir=.; test -f ./libtool.texi || dir=$(srcdir); \ - set `$(SHELL) $(srcdir)/mdate-sh $$dir/libtool.texi`; \ -+stamp-vti: libtool15.texi $(top_srcdir)/configure ++$(srcdir)/stamp-vti: libtool15.texi $(top_srcdir)/configure + @(dir=.; test -f ./libtool15.texi || dir=$(srcdir); \ + set `$(SHELL) $(srcdir)/mdate-sh $$dir/libtool15.texi`; \ echo "@set UPDATED $$1 $$2 $$3"; \ -@@ -270,5 +270,5 @@ + echo "@set UPDATED-MONTH $$2 $$3"; \ + echo "@set EDITION $(VERSION)"; \ +@@ -332,9 +332,9 @@ + done + mostlyclean-aminfo: -- -rm -f libtool.aux libtool.cp libtool.cps libtool.fn libtool.ky libtool.kys \ +- -rm -rf libtool.aux libtool.cp libtool.cps libtool.fn libtool.ky libtool.kys \ - libtool.log libtool.pg libtool.tmp libtool.toc libtool.tp \ -- libtool.vr libtool.dvi libtool.pdf libtool.ps -+ -rm -f libtool15.aux libtool15.cp libtool15.cps libtool15.fn libtool15.ky libtool15.kys \ +- libtool.vr libtool.dvi libtool.pdf libtool.ps libtool.html ++ -rm -rf libtool15.aux libtool15.cp libtool15.cps libtool15.fn libtool15.ky libtool15.kys \ + libtool15.log libtool15.pg libtool15.tmp libtool15.toc libtool15.tp \ -+ libtool15.vr libtool15.dvi libtool15.pdf libtool15.ps ++ libtool15.vr libtool15.dvi libtool15.pdf libtool15.ps libtool15.html + maintainer-clean-aminfo: + @list='$(INFO_DEPS)'; for i in $$list; do \ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?402CDC23.9090703>