Hello, Sorry for the long delay.
Pavel Raiskup <prais...@redhat.com> writes: > Ensure that nobody can cross privilege boundaries by pre-creating > symlink on '$tmpdir' path. > > Just testing 'mkdir -p' by creating '/tmp/ins$RANDOM-$$/d' is not > safe because '/tmp' directory is usually world-writeable and > '/tmp/ins$RANDOM-$$' content could be pretty easily guessed by > attacker (at least for shells where $RANDOM is not supported). > So, as the first step, create the '/tmp/ins$RANDOM-$$' without -p. > This step would fail early if somebody wanted catch us. > > Note that systems that implement (and have enabled) > fs.protected_symlinks kernel feature are not affected even without > this commit. > > References: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760455 > https://bugzilla.redhat.com/show_bug.cgi?id=1140725 > > * lib/install-sh: Implement safer 'mkdir -p' test by running > '$mkdirprog $mkdir_mode "$tmpdir"' first. > (scriptversion): Bump. > --- > lib/install-sh | 25 +++++++++++++++++-------- > 1 file changed, 17 insertions(+), 8 deletions(-) Applied in commit 968bf9f66e3966d1975295b97539876518ebd2a0. Thank you for the patch. -- Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37