On Sat, Jun 20, 2015 at 05:04:03PM +0200, Jakub Wilk wrote: > pbuilder builds the package in $BUILDPLACE/tmp/buildd. But $BUILDPLACE/tmp > is normally world-writable, and pbuilder doesn't fail if the buildd direcory > already exists: > > mkdir -p "$BUILDPLACE/tmp/buildd" > > There's a race window between unpacking base.tgz and the mkdir call when > malicious local user could create their own $BUILDPLACE/tmp/buildd. Owning > the buildd directory would let them tamper with the build process. > > Alternatively, the attacker could exploit #789401 to plant tmp/buildd > directly in base.tgz.
I think I'm going to solve both this and #789401 by making /tmp/buildd
configurable (so people wanting /tmp/buildd can still have it) and defaulting
to another place, maybe the one used by sbuild (/buildd iirc)
Does this sounds sane enough?
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: http://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: Digital signature
