other/1492: gccbug security
Joseph Myers
jsm28@cam.ac.uk
Thu Dec 21 09:46:00 GMT 2000
>Number: 1492
>Category: other
>Synopsis: gccbug security
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: unassigned
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Dec 21 09:46:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Joseph S. Myers
>Release: 2.97 20001221 (experimental)
>Organization:
none
>Environment:
System: Linux decomino 2.2.18 #1 Thu Dec 14 19:30:45 UTC 2000 i686 unknown
Architecture: i686
host: i686-pc-linux-gnu
build: i686-pc-linux-gnu
target: i686-pc-linux-gnu
configured with: ../gcc-cvs/configure --prefix=/opt/gcc/snapshot --disable-shared --enable-threads=posix --with-system-zlib
>Description:
The gccbug script handles temporary files insecurely: it uses
predictable names (depending only on the pid) in /tmp, if TMPDIR is
not set, and will follow symlinks when overwriting them.
>How-To-Repeat:
Standard /tmp exploits: as a hostile user, create symlinks named after
possible pids pointing to files writable by a user who runs gccbug.
>Fix:
Patch to be sent shortly; this PR is a test of the modified gccbug.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the Gcc-prs
mailing list