Here's a patch that I wrote to address that security "hole" in config.guess. I sent it to [EMAIL PROTECTED] on June 4, 2002 but have not heard from them since. The patch works with GNU config.guess 2002-05-29, available at ftp://ftp.gnu.org/pub/gnu/config/config.guess
The patch tries to ensure that config.guess will only produce non-existent
dummy filenames. It generates dummy filenames by checking the existence of
dummy-$$-n and dummy-$$-n.{c,o,rel,s}, where n=1 and keeps incrementing,
until no such files exist.
This doesn't necessarily prevent the symlink attack, but I believe it'll
harden config.guess signficantly. Also, I used this method instead of
generating a random hash value because I think we can't assume that
config.guess will always run on hosts with md5sum or cksum available.
I'm not an expert at portable Bourne shell scripting, and there may be other
issues with the patch, so if possible, please let me know what you think.
Thank you.
Lawrence
--
Lawrence Teo
lcteo at uncc dot edu
http://www.coe.uncc.edu/~lcteo
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
config-symlink.diff.gz
Description: application/gzip
