[GHC] #15567: security of package environment files
GHC
ghc-devs at haskell.org
Sat Aug 25 19:14:51 UTC 2018
#15567: security of package environment files
-------------------------------------+-------------------------------------
Reporter: joeyhess | Owner: (none)
Type: bug | Status: new
Priority: high | Milestone: 8.6.1
Component: Compiler | Version: 8.2.2
Keywords: | Operating System: Unknown/Multiple
Architecture: | Type of failure: None/Unknown
Unknown/Multiple |
Test Case: | Blocked By:
Blocking: | Related Tickets:
Differential Rev(s): | Wiki Page:
-------------------------------------+-------------------------------------
ghc will read package environment files owned by other users than the
current user, in directories below the current directory. So using ghc in
shared directories like /tmp is now a security concern.
{{{
joey at darkstar:/tmp/test/sub>ls -l
../../.ghc.environment.x86_64-linux-8.2.2
-rw-r--r-- 1 mail mail 9 Aug 25 15:03
../../.ghc.environment.x86_64-linux-8.2.2
joey at darkstar:/tmp/test/sub>cat ../.ghc.environment.x86_64-linux-8.2.2
outdated
joey at darkstar:/tmp/test/sub>ghc --make foo
<command line>: cannot satisfy -package-id outdated
(use -v for more information)
}}}
I suppose this could at least be used to trick ghc into building against
an older version of some package that was updated with a security fix. It
might be possible to exploit in other ways, perhaps by pointing to a
backdoored build of a package?
--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/15567>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler
More information about the ghc-tickets
mailing list