Bug#789404: pbuilder: insecure use of /tmp

Jakub Wilk jwilk at debian.org
Sat Jun 20 15:04:03 UTC 2015


Source: pbuilder
Version: 0.215+nmu3
Severity: grave
Tags: security

pbuilder builds the package in $BUILDPLACE/tmp/buildd. 
But $BUILDPLACE/tmp is normally world-writable, and pbuilder doesn't 
fail if the buildd direcory already exists:

    mkdir -p "$BUILDPLACE/tmp/buildd"

There's a race window between unpacking base.tgz and the mkdir call when 
malicious local user could create their own $BUILDPLACE/tmp/buildd. 
Owning the buildd directory would let them tamper with the build process.

Alternatively, the attacker could exploit #789401 to plant tmp/buildd 
directly in base.tgz.


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages pbuilder depends on:
ii  coreutils              8.23-4
ii  debconf [debconf-2.0]  1.5.56
ii  debianutils            4.5.1
ii  debootstrap            1.0.70
ii  dpkg-dev               1.18.1
ii  wget                   1.16.3-2+b2

-- 
Jakub Wilk



More information about the Pbuilder-maint mailing list