[Secure-testing-team] Bug#805454: libtoolize behavior depends on parent directories

Vincent Lefevre vincent at vinc17.net
Wed Nov 18 11:16:16 UTC 2015 

Package: libtool
Version: 2.4.2-1.11
Severity: grave
Tags: security upstream
Forwarded: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=21951
Justification: user security hole

I've just reported the following bug upstream:

The libtoolize behavior depends on parent directories, which is
a security issue (in addition to surprising behavior) because
files may belong to other users, e.g. if the build is done in
some /tmp subdirectory. I don't know what the other users can
do exactly (in addition to make a build fail), though...

FYI, there was some confusion because we got errors like:

zimmerma at tarte:/tmp/mpfr$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force --warnings=all -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force --warnings=all
autoreconf: configure.ac: not using Autoheader
autoreconf: running: automake --add-missing --copy --force-missing --warnings=all
configure.ac:275: installing './ar-lib'
configure.ac:270: installing './compile'
configure.ac:55: installing './config.guess'
configure.ac:55: installing './config.sub'
configure.ac:35: installing './install-sh'
configure.ac:486: error: required file './ltmain.sh' not found
[...]

After doing a diff of the libtoolize trace (sh -x ...) between
two different machines, I saw:

 + test -f ./install-sh
 + test -f ./install.sh
 + test -f ../install-sh
 + test -f ../install.sh
-+ auxdir=..
-+ break
-+ test -n ..
++ test -f ../../install-sh
++ test -f ../../install.sh
++ test -n
++ auxdir=.

which was the cause of the error.

-- System Information:
Debian Release: stretch/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libtool depends on:
ii  autotools-dev           20150820.1
ii  clang-3.4 [c-compiler]  1:3.4.2-16
ii  clang-3.5 [c-compiler]  1:3.5.2-3
ii  clang-3.6 [c-compiler]  1:3.6.2-3
ii  clang-3.7 [c-compiler]  1:3.7-4
ii  clang-3.8 [c-compiler]  1:3.8~svn250696-1
ii  cpp                     4:5.2.1-4
ii  file                    1:5.25-2
ii  gcc [c-compiler]        4:5.2.1-4
ii  gcc-4.6 [c-compiler]    4.6.4-7
ii  gcc-4.8 [c-compiler]    4.8.5-1
ii  gcc-4.9 [c-compiler]    4.9.3-5
ii  gcc-5 [c-compiler]      5.2.1-23
ii  libc6-dev [libc-dev]    2.19-22

Versions of packages libtool recommends:
ii  libltdl-dev  2.4.2-1.11

Versions of packages libtool suggests:
ii  autoconf                       2.69-9+local1
ii  automake [automaken]           1:1.15-3
pn  gcj-jdk                        <none>
pn  gfortran | fortran95-compiler  <none>
ii  libtool-doc                    2.4.2-1.11

-- no debconf information

More information about the Secure-testing-team mailing list