The problems with temporary file security in autoconf's shell scripts
(predictable file names in /tmp, opened without O_EXCL) have been well
known for a long time, though it seems still not fixed in CVS.
AC_SYS_LONG_FILE_NAMES (acspecific.m4) has a similar but much more serious
problem: it uses a fixed file name, /tmp/conftest9012345, and does not
even attempt to remove it before overwriting it: and this hole inserts
itself into the configure scripts of otherwise properly secure packages.
Some system administrators will configure and build software as root,
without setting TMPDIR; while this is not good practice, it will be done
and need not be a security problem in itself. However, a hostile user on
such a system could simply `ln -s /etc/passwd /tmp/conftest9012345' and
wait indefinitely for the administrator to compile software (e.g. patch)
whose configure script uses AC_SYS_LONG_FILE_NAMES, with no need to guess
a file name or win a race condition.
--
Joseph S. Myers
[EMAIL PROTECTED]
