Control: tags -1 pending Control: severity 789401 important On Wed, Aug 05, 2015 at 01:33:43PM +0200, Jakub Wilk wrote: > * Mattia Rizzolo <[email protected]>, 2015-08-04, 07:41: > >>pbuilder builds the package in $BUILDPLACE/tmp/buildd. But > >>$BUILDPLACE/tmp is normally world-writable, and pbuilder doesn't fail if > >>the buildd direcory already exists: > >> > >> mkdir -p "$BUILDPLACE/tmp/buildd" > >> > >>There's a race window between unpacking base.tgz and the mkdir call when > >>malicious local user could create their own $BUILDPLACE/tmp/buildd. > >>Owning the buildd directory would let them tamper with the build > >>process. > >> > >>Alternatively, the attacker could exploit #789401 to plant tmp/buildd > >>directly in base.tgz. > > > >I think I'm going to solve both this and #789401 by making /tmp/buildd > >configurable > > Right. Moving the build directory outside /tmp will should fix this bug.
done, by parametring the directory with BUILDDIR and changing the default to
/build
I forsee angry users, since /tmp/buildd is probably used in a lot of local
script (hooks). Also the example hooks need updating, not to speak about
docs.... → work.
> I don't see how changing it can fix #789401, though.
It would improve the situation, as a malicious local user can not plant the
build dir any more (yes, it could still temper with /tmp, but with the actual
build dir, which is somewhere else)
> >and defaulting to another place, maybe the one used by sbuild (/buildd
> >iirc)
>
> It's "/build" (with a single "d").
cool, thanks.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: http://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: Digital signature
