Bug#789404: pbuilder: insecure use of /tmp

Mattia Rizzolo mattia at mapreri.org
Sat Aug 8 17:00:52 UTC 2015 

Control: tags -1 pending
Control: severity 789401 important

On Wed, Aug 05, 2015 at 01:33:43PM +0200, Jakub Wilk wrote:
> * Mattia Rizzolo <mattia at mapreri.org>, 2015-08-04, 07:41:
> >>pbuilder builds the package in $BUILDPLACE/tmp/buildd. But
> >>$BUILDPLACE/tmp is normally world-writable, and pbuilder doesn't fail if
> >>the buildd direcory already exists:
> >>
> >>   mkdir -p "$BUILDPLACE/tmp/buildd"
> >>
> >>There's a race window between unpacking base.tgz and the mkdir call when
> >>malicious local user could create their own $BUILDPLACE/tmp/buildd.
> >>Owning the buildd directory would let them tamper with the build
> >>process.
> >>
> >>Alternatively, the attacker could exploit #789401 to plant tmp/buildd
> >>directly in base.tgz.
> >
> >I think I'm going to solve both this and #789401 by making /tmp/buildd
> >configurable
> 
> Right. Moving the build directory outside /tmp will should fix this bug.

done, by parametring the directory with BUILDDIR and changing the default to
/build

I forsee angry users, since /tmp/buildd is probably used in a lot of local
script (hooks). Also the example hooks need updating, not to speak about
docs....  → work.

> I don't see how changing it can fix #789401, though.

It would improve the situation, as a malicious local user can not plant the
build dir any more (yes, it could still temper with /tmp, but with the actual
build dir, which is somewhere else)

> >and defaulting to another place, maybe the one used by sbuild (/buildd
> >iirc)
> 
> It's "/build" (with a single "d").

cool, thanks.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540         .''`.
more about me:  http://mapreri.org                                 : :'  :
Launchpad user: https://launchpad.net/~mapreri                     `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia     `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20150808/70429929/attachment.sig>

More information about the Pbuilder-maint mailing list