M4 Security Bug Report.

[Shaun Colley]

Hi,

Nice work with the M4 macro processor implementation. 
Great stuff, but I've notice one possible issue:

When the -o option is used to output debugging/trace
information, symlinks are followed.  m4 will also
write to exiting files, too.

Here's a screen shot:

---
address@hidden shaun]$ ln -s
/etc/nologin /tmp/bug
address@hidden shaun]$ su 
Password: 
address@hidden shaun]# m4 -o /tmp/bug
traceon(incr)

incr(2)
3
m4exit
address@hidden shaun]# cat /etc/nologin 
m4trace: -1- incr
address@hidden shaun]# 
---

>From this little experiment, we can see that m4 will
follow symlinks (including dangling symlinks) -- this
could present a security issue, should a user specify
to create a debug output file name, with a fairly
predictable filename.  I don't know about others, but
I often use world-writable directories (i.e /tmp) when
I'm just creating output logs, or otherwise.

>From my interpretation, this appears to be a symlink
vulnerability, and could easily manifest as a security
issue.  Should a malicious user create a symlink to a
sensitive system file with the intended name of the
user's (i.e root) output file, system files could end
up being corrupted.  This isn't totally infeasible,
since users make regular use of /tmp, and usually use
traditional, predicable or generic filenames (i.e
/tmp/log, /tmp/test, /tmp/file, etc.).  A fix would be
easy to throw in there, so fixing wouldn't be a
problem.  The cause of the problem is obviously just
lack of file checks, which probably should be
implemented, especially in fairly standard utilities
like m4.

What do you reckon?



Thank you for your time.
Shaun.


        
        
                
___________________________________________________________ALL-NEW Yahoo! 
Messenger - sooooo many all-new ways to express yourself 
http://uk.messenger.yahoo.com