Bug#789404: pbuilder: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Sun Aug 9 23:32:54 UTC 2015
Correction:
* Jakub Wilk <jwilk at debian.org>, 2015-06-20, 17:04:
>pbuilder builds the package in $BUILDPLACE/tmp/buildd. But
>$BUILDPLACE/tmp is normally world-writable, and pbuilder doesn't fail
>if the buildd direcory already exists:
>
> mkdir -p "$BUILDPLACE/tmp/buildd"
>
>There's a race window between unpacking base.tgz and the mkdir call
>when malicious local user could create their own
>$BUILDPLACE/tmp/buildd.
As Mattia correctly noted in another mail, tmp/builddr is stored in the
tarball, so (assuming that tar unpacks it securely...) there's no race
window when you build a package.
>Alternatively, the attacker could exploit #789401 to plant tmp/buildd
>directly in base.tgz.
There's plenty of time for an attacker at bootstrap time, though. :)
--
Jakub Wilk
More information about the Pbuilder-maint
mailing list