Correction:
* Jakub Wilk <[email protected]>, 2015-06-20, 17:04:
pbuilder builds the package in $BUILDPLACE/tmp/buildd. But
$BUILDPLACE/tmp is normally world-writable, and pbuilder doesn't fail
if the buildd direcory already exists:
mkdir -p "$BUILDPLACE/tmp/buildd"
There's a race window between unpacking base.tgz and the mkdir call
when malicious local user could create their own
$BUILDPLACE/tmp/buildd.
As Mattia correctly noted in another mail, tmp/builddr is stored in the
tarball, so (assuming that tar unpacks it securely...) there's no race
window when you build a package.
Alternatively, the attacker could exploit #789401 to plant tmp/buildd
directly in base.tgz.
There's plenty of time for an attacker at bootstrap time, though. :)
--
Jakub Wilk
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
