This is really not an issue; standard users cannot overwrite /etc/passwd
You don't compile/install unknown software as root, do you? If so, then
my configure file says this:
date > /etc/passwd
Sure, this could be replaced with a hashed random name, but the same
vulnerability remains. Don't build as root?
Allan
Lawrence Teo wrote:
> I was learning Automake last night, and I think I found a security
> vulnerability. I'm not sure if this is already known, but I couldn't
> find it on Bugtraq. The security vulnerability is the insecure
> creation of temporary files in the config.guess script which leads
> to a race condition.
>
> In the config.guess script, there's a line that says:
>
> dummy=dummy-$$
>
> And further down...
>
> echo "int dummy(){}" > $dummy.c ;
>
> An attacker can create a number of symbolic links called
> dummy-PID.c pointing to important files like /etc/passwd. PID in
> this case would be the attacker's guesses on what the PID of the
> config.guess script will run as. If root runs ./configure in a
> source tree containing these malicious symlinks, and if the
> configure script in turn runs config.guess, the /etc/passwd file
> may potentially be overwritten with "int dummy(){}", resulting in
> a denial of service attack.
