ports/62786: [SECURITY] devel/libtool1[345]: symlink vulnerability
Oliver Eikemeier
eikemeier at fillmore-labs.com
Fri Feb 13 14:20:20 UTC 2004
>Number: 62786
>Category: ports
>Synopsis: [SECURITY] devel/libtool1[345]: symlink vulnerability
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 13 06:20:14 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Oliver Eikemeier
>Release: FreeBSD 4.9-STABLE i386
>Organization:
Fillmore Labs - http://www.fillmore-labs.com
>Environment:
System: FreeBSD nuuk.fillmore-labs.com 4.9-STABLE
>Description:
Stefan Nordhausen found a symlink vulnerability in libtool prior to version 1.5.2.
Libtool insecurely creates a temporary directory when a package using libtool is
being compiled.
- update libtool 1.3 to 1.3.5_2
- update libtool 1.4 to 1.4.3_3
- update libtool 1.5 to 1.5.2
- use SIZE and MASTER_SITE_GNU
Reference: <http://www.securityfocus.com/archive/1/352333>, fix from
<http://www.securityfocus.com/archive/1/352519>
>How-To-Repeat:
>Fix:
Index: devel/libtool13/Makefile
===================================================================
RCS file: /home/ncvs/ports/devel/libtool13/Makefile,v
retrieving revision 1.31
diff -u -r1.31 Makefile
--- devel/libtool13/Makefile 11 Feb 2004 19:14:57 -0000 1.31
+++ devel/libtool13/Makefile 13 Feb 2004 13:37:56 -0000
@@ -7,7 +7,7 @@
PORTNAME= libtool
PORTVERSION= 1.3.5
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= devel
MASTER_SITES= ${MASTER_SITE_GNU}
MASTER_SITE_SUBDIR= libtool
Index: devel/libtool13/distinfo
===================================================================
RCS file: /home/ncvs/ports/devel/libtool13/distinfo,v
retrieving revision 1.5
diff -u -r1.5 distinfo
--- devel/libtool13/distinfo 26 Jun 2003 22:58:24 -0000 1.5
+++ devel/libtool13/distinfo 13 Feb 2004 13:47:21 -0000
@@ -1 +1,2 @@
MD5 (libtool-1.3.5.tar.gz) = fa26a07c978ad05d1f88ed7a472daa49
+SIZE (libtool-1.3.5.tar.gz) = 538884
Index: devel/libtool13/files/patch-ad
===================================================================
RCS file: /home/ncvs/ports/devel/libtool13/files/patch-ad,v
retrieving revision 1.9
diff -u -r1.9 patch-ad
--- devel/libtool13/files/patch-ad 26 Jun 2003 22:58:24 -0000 1.9
+++ devel/libtool13/files/patch-ad 13 Feb 2004 13:37:27 -0000
@@ -1,5 +1,5 @@
--- ltmain.sh.orig Sat May 27 07:15:01 2000
-+++ ltmain.sh Fri Dec 13 23:50:12 2002
++++ ltmain.sh Fri Feb 13 14:36:07 2004
@@ -23,6 +23,9 @@
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
@@ -234,3 +234,17 @@
finalize=no
fi
done
+@@ -3463,8 +3573,12 @@
+ tmpdir="/tmp"
+ test -n "$TMPDIR" && tmpdir="$TMPDIR"
+ tmpdir="$tmpdir/libtool-$$"
+- if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
++ save_umask=`umask`
++ umask 0077
++ if $mkdir "$tmpdir"; then
++ umask $save_umask
+ else
++ umask $save_umask
+ $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
+ continue
+ fi
Index: devel/libtool14/Makefile
===================================================================
RCS file: /home/ncvs/ports/devel/libtool14/Makefile,v
retrieving revision 1.33
diff -u -r1.33 Makefile
--- devel/libtool14/Makefile 11 Feb 2004 19:14:57 -0000 1.33
+++ devel/libtool14/Makefile 13 Feb 2004 13:44:06 -0000
@@ -7,7 +7,7 @@
PORTNAME?= libtool
PORTVERSION= 1.4.3
-PORTREVISION?= 2
+PORTREVISION?= 3
CATEGORIES= devel
#MASTER_SITES= ${MASTER_SITE_GNU}
#MASTER_SITE_SUBDIR= libtool
Index: devel/libtool14/distinfo
===================================================================
RCS file: /home/ncvs/ports/devel/libtool14/distinfo,v
retrieving revision 1.5
diff -u -r1.5 distinfo
--- devel/libtool14/distinfo 26 Jun 2003 22:58:24 -0000 1.5
+++ devel/libtool14/distinfo 13 Feb 2004 13:47:09 -0000
@@ -1 +1,2 @@
MD5 (libtool-1.4.3.tar.gz) = d11a3c835449d7fa50a025dc9c01ad81
+SIZE (libtool-1.4.3.tar.gz) = 1164463
Index: devel/libtool14/files/patch-ad
===================================================================
RCS file: /home/ncvs/ports/devel/libtool14/files/patch-ad,v
retrieving revision 1.9
diff -u -r1.9 patch-ad
--- devel/libtool14/files/patch-ad 26 Jun 2003 22:58:25 -0000 1.9
+++ devel/libtool14/files/patch-ad 13 Feb 2004 13:43:44 -0000
@@ -2,7 +2,7 @@
$FreeBSD: ports/devel/libtool14/files/patch-ad,v 1.9 2003/06/26 22:58:25 ade Exp $
--- ltmain.sh.orig Mon Sep 10 22:33:26 2001
-+++ ltmain.sh Wed Jan 23 16:39:22 2002
++++ ltmain.sh Fri Feb 13 14:41:25 2004
@@ -1062,6 +1062,12 @@
-module)
@@ -48,3 +48,17 @@
# Maybe install the static library, too.
test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+@@ -4414,8 +4414,12 @@
+ tmpdir="/tmp"
+ test -n "$TMPDIR" && tmpdir="$TMPDIR"
+ tmpdir="$tmpdir/libtool-$$"
+- if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
++ save_umask=`umask`
++ umask 0077
++ if $mkdir "$tmpdir"; then
++ umask $save_umask
+ else
++ umask $save_umask
+ $echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
+ continue
+ fi
Index: devel/libtool15/Makefile
===================================================================
RCS file: /home/ncvs/ports/devel/libtool15/Makefile,v
retrieving revision 1.33
diff -u -r1.33 Makefile
--- devel/libtool15/Makefile 11 Feb 2004 19:14:58 -0000 1.33
+++ devel/libtool15/Makefile 13 Feb 2004 14:04:46 -0000
@@ -6,13 +6,11 @@
#
PORTNAME?= libtool
-PORTVERSION= 1.5
+PORTVERSION= 1.5.2
PORTREVISION?= 0
CATEGORIES= devel
-#MASTER_SITES= ${MASTER_SITE_GNU}
-#MASTER_SITE_SUBDIR= libtool
-MASTER_SITES= ${MASTER_SITE_LOCAL}
-MASTER_SITE_SUBDIR= ade/gnu
+MASTER_SITES= ${MASTER_SITE_GNU}
+MASTER_SITE_SUBDIR= libtool
DISTNAME= libtool-${PORTVERSION}
MAINTAINER= ade at FreeBSD.org
Index: devel/libtool15/distinfo
===================================================================
RCS file: /home/ncvs/ports/devel/libtool15/distinfo,v
retrieving revision 1.6
diff -u -r1.6 distinfo
--- devel/libtool15/distinfo 2 Jul 2003 18:26:53 -0000 1.6
+++ devel/libtool15/distinfo 13 Feb 2004 13:46:50 -0000
@@ -1 +1,2 @@
-MD5 (libtool-1.5.tar.gz) = 0e1844f25e2ad74c3715b5776d017545
+MD5 (libtool-1.5.2.tar.gz) = db66ba05502f533ad0cfd84dc0e03bd5
+SIZE (libtool-1.5.2.tar.gz) = 2653072
Index: devel/libtool15/files/patch-ab
===================================================================
RCS file: /home/ncvs/ports/devel/libtool15/files/patch-ab,v
retrieving revision 1.5
diff -u -r1.5 patch-ab
--- devel/libtool15/files/patch-ab 2 Jul 2003 18:26:53 -0000 1.5
+++ devel/libtool15/files/patch-ab 13 Feb 2004 13:57:57 -0000
@@ -1,54 +1,86 @@
---- doc/Makefile.in.orig Mon Apr 14 17:29:22 2003
-+++ doc/Makefile.in Fri Apr 18 20:22:58 2003
-@@ -93,3 +93,3 @@
- LTLIBOBJS = @LTLIBOBJS@
--MAKEINFO = @MAKEINFO@
-+MAKEINFO = @MAKEINFO@ --no-split
- NM = @NM@
-@@ -160,4 +160,4 @@
- AUTOMAKE_OPTIONS = gnits
--info_TEXINFOS = libtool.texi
--libtool_TEXINFOS = PLATFORMS fdl.texi
-+info_TEXINFOS = libtool15.texi
-+libtool15_TEXINFOS = PLATFORMS fdl.texi
+--- doc/Makefile.in.orig Sun Jan 25 13:36:36 2004
++++ doc/Makefile.in Fri Feb 13 14:57:56 2004
+@@ -34,7 +34,7 @@
+ POST_UNINSTALL = :
+ host_triplet = @host@
subdir = doc
-@@ -167,8 +167,8 @@
+-DIST_COMMON = $(libtool_TEXINFOS) $(srcdir)/Makefile.am \
++DIST_COMMON = $(libtool15_TEXINFOS) $(srcdir)/Makefile.am \
+ $(srcdir)/Makefile.in $(srcdir)/stamp-vti \
+ $(srcdir)/version.texi mdate-sh texinfo.tex
+ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+@@ -46,13 +46,13 @@
+ CONFIG_CLEAN_FILES =
+ SOURCES =
+ DIST_SOURCES =
+-INFO_DEPS = $(srcdir)/libtool.info
++INFO_DEPS = $(srcdir)/libtool15.info
am__TEXINFO_TEX_DIR = $(srcdir)
--INFO_DEPS = libtool.info
-DVIS = libtool.dvi
-PDFS = libtool.pdf
-PSS = libtool.ps
+-HTMLS = libtool.html
-TEXINFOS = libtool.texi
--DIST_COMMON = $(libtool_TEXINFOS) Makefile.am Makefile.in mdate-sh \
-+INFO_DEPS = libtool15.info
+DVIS = libtool15.dvi
+PDFS = libtool15.pdf
+PSS = libtool15.ps
++HTMLS = libtool15.html
+TEXINFOS = libtool15.texi
-+DIST_COMMON = $(libtool15_TEXINFOS) Makefile.am Makefile.in mdate-sh \
- stamp-vti texinfo.tex version.texi
-@@ -207,9 +207,9 @@
- $(TEXI2PDF) `test -f '$<' || echo '$(srcdir)/'`$<
--libtool.info: libtool.texi version.texi $(libtool_TEXINFOS)
--libtool.dvi: libtool.texi version.texi $(libtool_TEXINFOS)
--libtool.pdf: libtool.texi version.texi $(libtool_TEXINFOS)
-+libtool15.info: libtool15.texi version.texi $(libtool15_TEXINFOS)
-+libtool15.dvi: libtool15.texi version.texi $(libtool15_TEXINFOS)
-+libtool15.pdf: libtool15.texi version.texi $(libtool15_TEXINFOS)
- version.texi: stamp-vti
--stamp-vti: libtool.texi $(top_srcdir)/configure
+ TEXI2DVI = texi2dvi
+ TEXI2PDF = $(TEXI2DVI) --pdf --batch
+ MAKEINFOHTML = $(MAKEINFO) --html
+@@ -116,7 +116,7 @@
+ LIBTOOL = @LIBTOOL@
+ LN_S = @LN_S@
+ LTLIBOBJS = @LTLIBOBJS@
+-MAKEINFO = @MAKEINFO@
++MAKEINFO = @MAKEINFO@ --no-split
+ NM = @NM@
+ OBJDUMP = @OBJDUMP@
+ OBJEXT = @OBJEXT@
+@@ -183,8 +183,8 @@
+ sysconfdir = @sysconfdir@
+ target_alias = @target_alias@
+ AUTOMAKE_OPTIONS = gnits
+-info_TEXINFOS = libtool.texi
+-libtool_TEXINFOS = PLATFORMS fdl.texi
++info_TEXINFOS = libtool15.texi
++libtool15_TEXINFOS = PLATFORMS fdl.texi
+ all: all-am
+
+ .SUFFIXES:
+@@ -268,14 +268,14 @@
+ -o $@ $<
+ if test ! -d $@ && test -d $(@:.html=); then \
+ mv $(@:.html=) $@; else :; fi
+-$(srcdir)/libtool.info: libtool.texi $(srcdir)/version.texi $(libtool_TEXINFOS)
+-libtool.dvi: libtool.texi $(srcdir)/version.texi $(libtool_TEXINFOS)
+-libtool.pdf: libtool.texi $(srcdir)/version.texi $(libtool_TEXINFOS)
+-libtool.html: libtool.texi $(srcdir)/version.texi $(libtool_TEXINFOS)
++$(srcdir)/libtool15.info: libtool15.texi $(srcdir)/version.texi $(libtool15_TEXINFOS)
++libtool15.dvi: libtool15.texi $(srcdir)/version.texi $(libtool15_TEXINFOS)
++libtool15.pdf: libtool15.texi $(srcdir)/version.texi $(libtool15_TEXINFOS)
++libtool15.html: libtool15.texi $(srcdir)/version.texi $(libtool15_TEXINFOS)
+ $(srcdir)/version.texi: $(srcdir)/stamp-vti
+-$(srcdir)/stamp-vti: libtool.texi $(top_srcdir)/configure
- @(dir=.; test -f ./libtool.texi || dir=$(srcdir); \
- set `$(SHELL) $(srcdir)/mdate-sh $$dir/libtool.texi`; \
-+stamp-vti: libtool15.texi $(top_srcdir)/configure
++$(srcdir)/stamp-vti: libtool15.texi $(top_srcdir)/configure
+ @(dir=.; test -f ./libtool15.texi || dir=$(srcdir); \
+ set `$(SHELL) $(srcdir)/mdate-sh $$dir/libtool15.texi`; \
echo "@set UPDATED $$1 $$2 $$3"; \
-@@ -270,5 +270,5 @@
+ echo "@set UPDATED-MONTH $$2 $$3"; \
+ echo "@set EDITION $(VERSION)"; \
+@@ -332,9 +332,9 @@
+ done
+
mostlyclean-aminfo:
-- -rm -f libtool.aux libtool.cp libtool.cps libtool.fn libtool.ky libtool.kys \
+- -rm -rf libtool.aux libtool.cp libtool.cps libtool.fn libtool.ky libtool.kys \
- libtool.log libtool.pg libtool.tmp libtool.toc libtool.tp \
-- libtool.vr libtool.dvi libtool.pdf libtool.ps
-+ -rm -f libtool15.aux libtool15.cp libtool15.cps libtool15.fn libtool15.ky libtool15.kys \
+- libtool.vr libtool.dvi libtool.pdf libtool.ps libtool.html
++ -rm -rf libtool15.aux libtool15.cp libtool15.cps libtool15.fn libtool15.ky libtool15.kys \
+ libtool15.log libtool15.pg libtool15.tmp libtool15.toc libtool15.tp \
-+ libtool15.vr libtool15.dvi libtool15.pdf libtool15.ps
++ libtool15.vr libtool15.dvi libtool15.pdf libtool15.ps libtool15.html
+ maintainer-clean-aminfo:
+ @list='$(INFO_DEPS)'; for i in $$list; do \
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list