Hi,
Nice work with the M4 macro processor implementation.
Great stuff, but I've notice one possible issue:
When the -o option is used to output debugging/trace
information, symlinks are followed. m4 will also
write to exiting files, too.
Here's a screen shot:
---
[EMAIL PROTECTED] shaun]$ ln -s
/etc/nologin /tmp/bug
[EMAIL PROTECTED] shaun]$ su
Password:
[EMAIL PROTECTED] shaun]# m4 -o /tmp/bug
traceon(incr)
incr(2)
3
m4exit
[EMAIL PROTECTED] shaun]# cat /etc/nologin
m4trace: -1- incr
[EMAIL PROTECTED] shaun]#
---
>From this little experiment, we can see that m4 will
follow symlinks (including dangling symlinks) -- this
could present a security issue, should a user specify
to create a debug output file name, with a fairly
predictable filename. I don't know about others, but
I often use world-writable directories (i.e /tmp) when
I'm just creating output logs, or otherwise.
>From my interpretation, this appears to be a symlink
vulnerability, and could easily manifest as a security
issue. Should a malicious user create a symlink to a
sensitive system file with the intended name of the
user's (i.e root) output file, system files could end
up being corrupted. This isn't totally infeasible,
since users make regular use of /tmp, and usually use
traditional, predicable or generic filenames (i.e
/tmp/log, /tmp/test, /tmp/file, etc.). A fix would be
easy to throw in there, so fixing wouldn't be a
problem. The cause of the problem is obviously just
lack of file checks, which probably should be
implemented, especially in fairly standard utilities
like m4.
What do you reckon?
Thank you for your time.
Shaun.
___________________________________________________________ALL-NEW Yahoo! Messenger -
sooooo many all-new ways to express yourself http://uk.messenger.yahoo.com
_______________________________________________
Bug-m4 mailing list
[EMAIL PROTECTED]
http://lists.gnu.org/mailman/listinfo/bug-m4
