RPM building races

[Ian Lynagh <igloo () EARTH LI>]

Hi all

Today it became necessary for me to build an RPM for the first time. To
assist my learning I chose, randomly, gzip and had a look at it's spec
file in conjunction with reading the various documentation. The first
time I saw the reference to /tmp and /var/tmp I was worried, and still
don't see why ./redhat isn't used in the same way as ./debian/tmp is.
Looking omre closely at the spec file I saw

rm -rf $RPM_BUILD_ROOT
%makeinstall  bindir=$RPM_BUILD_ROOT/bin gzip.info
mkdir -p $RPM_BUILD_ROOT/usr/bin

which immediately flashed warning lights about races. In this case

rm -rf $RPM_BUILD_ROOT
mkdir -p `dirname $RPM_BUILD_ROOT`
mkdir $RPM_BUILD_ROOT
%makeinstall  bindir=$RPM_BUILD_ROOT/bin gzip.info
mkdir -p $RPM_BUILD_ROOT/usr/bin

would have been safe (I believe) as the mkdir without -p will fail if
the directory exists. This allows you to alter the files in the package,
for example such that whenever anyone ran the command you got a shell
SUID their UID, if you have a shell on the machine the package is built
on while it is being built. Certainly in the case of gzip this is not
an easy race to exploit, but it exists all the same.

I have attached a patch against gzip-1.3-6 from RedHat which pauses the
build process at various points and lists commands that will build a
gzip RPM in which the gzip binary simply echos foo. To exploit this race
for real is difficult, and you need an account on the machine in
question, but even so I think problems like these should be fixed. There
may also be easier races in other packages. I am not overly familiar
with RPM, but I think the easiest solution would be to set the default
buildroot on all packages to be something like ./rpm-building/%{package}
or, slightly more work, to make sure the buildroot is secure before you
do anythign else in there.

I have not given vendors advanced warning as their build environments
are presumably secure, while it is the many sysadmins building RPMs
out there on user machines who are the ones under threat.

I haven't looked at other packages or RPM based distributions at all.


Take care
Ian

Attachment: gzip.spec.diff
Description: