On Friday 18 July 2008, Jan Minář wrote:
...
3. Vulnerability
During the build process, a temporary file with a predictable name
is created in the ``/tmp'' directory. This code is run when Vim
is being build with Python support:
src/configure.in:
677 dnl -- we need to examine Python's
config/Makefile too 678 dnl see what the interpreter is
built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs,
680 [
681 tmp_mkf="/tmp/Makefile-conf$$"
(1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
${tmp_mkf} 683 __:
684 @echo "python_MODLIBS='$(MODLIBS)'"
685 @echo "python_LIBS='$(LIBS)'"
686 @echo "python_SYSLIBS='$(SYSLIBS)'"
687 @echo
"python_LINKFORSHARED='$(LINKFORSHARED)'" 688 eof
689 dnl -- delete the lines from make about
Entering/Leaving directory
(2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
${tmp_mkf} __ | sed '/ directory /d'`"
691 rm -f ${tmp_mkf}
The attacker has to create the temporary file
``/tmp/Makefile-conf<PID>'' before it is first written to at (1).
In the time between (1) and (2), arbitrary commands can be written
to the file. They will be executed at (2).
The commands do not have to be written there between (1) and (2),
they can be in the file long before the ./configure was started --
just because the script does care whether it can write to the file
at all. So unlike stated in the advisory, and in CVE-2008-3294, the
issue does not involve a race condition if the attacker would
choose to create a 644 file.
