Report forwarded to debian-devel@lists.debian.org, David Engel <david@ods.com>:
Bug#5298; Package gcc.   debian-devel@lists.debian.orgDavid Engel <david@ods.com>  Sorry, this message was lost when this bug report was restored from a backup.   Acknowledgement sent to Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>:
New bug report received and forwarded. Copy sent to David Engel <david@ods.com>.   Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>  Sorry, this message was lost when this bug report was restored from a backup.   Received: (at submit) by bugs.debian.org; 6 Nov 1996 21:38:40 +0000 Received: (qmail 13807 invoked from smtpd); 6 Nov 1996 21:38:34 -0000 Received: from i17linuxb.ists.pwr.wroc.pl (marekm@156.17.35.8) by master.debian.org with SMTP; 6 Nov 1996 21:38:30 -0000 Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.7.6/8.7.3) id WAA21071 for submit@bugs.debian.org; Wed, 6 Nov 1996 22:25:29 +0100 From: Marek Michalkiewicz Message-Id: <199611062125.WAA21071@i17linuxb.ists.pwr.wroc.pl> Subject: gcc and /tmp security To: submit@bugs.debian.org Date: Wed, 6 Nov 1996 22:25:28 +0100 (MET) X-Mailer: ELM [version 2.4 PL25 PGP2] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Package: gcc Version: 2.7.2.1-1 gcc creates its temporary files in $TMPDIR (default /tmp) and - guess what? - doesn't use the O_EXCL open() flag! (verified using strace) Any user can overwrite files owned by any other user who is running gcc (including root, so don't do that!) by creating symlinks in /tmp. Quick workaround: set $TMPDIR to point to some non-world-writable directory (under $HOME). This really should be fixed upstream (the problem is not Linux-specific) but maybe we can do it faster... Marek   Information forwarded to debian-bugs-dist@lists.debian.org, Galen Hazelwood <galenh@micron.net>:
Bug#5298; Package gcc.   debian-bugs-dist@lists.debian.orgGalen Hazelwood <galenh@micron.net>  Sorry, this message was lost when this bug report was restored from a backup.   Acknowledgement sent to rjs@lloke.dna.fi (Riku Saikkonen):
Extra info received and forwarded to list. Copy sent to Galen Hazelwood <galenh@micron.net>.   rjs@lloke.dna.fi (Riku Saikkonen)  Sorry, this message was lost when this bug report was restored from a backup.   Received: (at 5298) by bugs.debian.org; 13 Jul 1997 13:19:40 +0000 Received: (qmail 12247 invoked from network); 13 Jul 1997 13:19:30 -0000 Received: from isil.lloke.dna.fi (rjs@194.100.32.225) by master.debian.org with SMTP; 13 Jul 1997 13:19:12 -0000 Received: (from rjs@localhost) by isil.lloke.dna.fi (8.7.6/8.7.3) id QAA10658; Sun, 13 Jul 1997 16:18:43 +0300 Date: Sun, 13 Jul 1997 16:18:43 +0300 Message-Id: <199707131318.QAA10658@isil.lloke.dna.fi> From: rjs@lloke.dna.fi (Riku Saikkonen) To: 5298@bugs.debian.org Subject: A serious old gcc security bug This bug seems to still exist in gcc 2.7.2.1-8. A simple way to check for the bug is to execute "strace -eopen -f gcc -c foo.c" where foo.c is a zero-length file. The open()s of /tmp/something.[is] specify O_WRONLY|O_CREAT|O_TRUNC with no O_EXCL, which is the bug. I think this is a rather serious security hole, and am surprised that there has been no discussion about it. Is there something I'm missing? Temporary fixes are to set TMPDIR to some non-world-writable directory before one runs gcc, or to always run gcc with the -pipe flag (which doesn't create the temporary files). The real fix is to hunt for the open() of the temporary file in the gcc (and/or cpp and gas, I presume) source, and change O_TRUNC to O_EXCL (naturally, the open() may be hidden in a library call like fopen()). -- -=- Rjs -=- rjs@spider.compart.fi, rjs@lloke.dna.fi   Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#5298; Package gcc.   debian-bugs-dist@lists.debian.org  Sorry, this message was lost when this bug report was restored from a backup.   Acknowledgement sent to Galen Hazelwood <galenh@micron.net>:
Extra info received and forwarded to list.   Galen Hazelwood <galenh@micron.net>  Sorry, this message was lost when this bug report was restored from a backup.   Received: (at 5298) by bugs.debian.org; 13 Jul 1997 18:55:11 +0000 Received: (qmail 17112 invoked from network); 13 Jul 1997 18:55:09 -0000 Received: from mailmx.micron.net (198.60.253.39) by master.debian.org with SMTP; 13 Jul 1997 18:55:07 -0000 Received: from xerxes (cnam032p11.nam.micron.net [207.70.7.130]) by mailmx.micron.net (8.8.5/8.8.5) with ESMTP id MAA13354; Sun, 13 Jul 1997 12:54:27 -0600 (MDT) Sender: galen@micron.net Message-ID: <33C923E9.BA9EE46A@micron.net> Date: Sun, 13 Jul 1997 12:52:26 -0600 From: Galen Hazelwood X-Mailer: Mozilla 4.0b5C (X11; I; Linux 2.0.30 i586) MIME-Version: 1.0 To: Riku Saikkonen , 5298@bugs.debian.org Subject: Re: Bug#5298: A serious old gcc security bug X-Priority: 3 (Normal) References: <199707131318.QAA10658@isil.lloke.dna.fi> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Riku Saikkonen wrote: > > This bug seems to still exist in gcc 2.7.2.1-8. > > A simple way to check for the bug is to execute "strace -eopen -f gcc -c > foo.c" where foo.c is a zero-length file. The open()s of /tmp/something.[is] > specify O_WRONLY|O_CREAT|O_TRUNC with no O_EXCL, which is the bug. > > I think this is a rather serious security hole, and am surprised that there > has been no discussion about it. Is there something I'm missing? Nobody understood the bug report, least of all me. Since I couldn't understand it, but couldn't close it, I ignored it. Thanks for pointing me to exactly where the problem lies. Unfortunately, I really can't fix this one for stable. It will, however, be integrated into 2.7.2.2-7 or 2.8.0-1, whichever comes first. --Galen