On Friday 18 July 2008, Jan Minář wrote:
...
3. Vulnerability
During the build process, a temporary file with a predictable name is
created in the ``/tmp'' directory. This code is run when Vim is
being build with Python support:
src/configure.in:
677 dnl -- we need to examine Python's
config/Makefile too 678 dnl see what the interpreter is
built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs,
680 [
681 tmp_mkf="/tmp/Makefile-conf$$"
(1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
${tmp_mkf} 683 __:
684 @echo "python_MODLIBS='$(MODLIBS)'"
685 @echo "python_LIBS='$(LIBS)'"
686 @echo "python_SYSLIBS='$(SYSLIBS)'"
687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
688 eof
689 dnl -- delete the lines from make about
Entering/Leaving directory
(2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
${tmp_mkf} __ | sed '/ directory /d'`"
691 rm -f ${tmp_mkf}
The attacker has to create the temporary file
``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In
the time between (1) and (2), arbitrary commands can be written to
the file. They will be executed at (2).
The commands do not have to be written there between (1) and (2), they
can be in the file long before the ./configure was started -- just
because the script does care whether it can write to the file at all.
So unlike stated in the advisory, and in CVE-2008-3294, the issue does
not involve a race condition if the attacker would choose to create a
644 file.
