The build process (include.sh and friends) uses static filenames in/tmp/, among them /tmp/closure_error.log which in addition does not get removed after the build.
This may lead to issues on shared systems: although symlink attacks on build systems are not a very likely scenario, this still becomes a problem if the files already exist but belong to another user - something that happens if several users on the same host try to build that code.
Please also note that the build system does not catch or address that situation.
Please see the corresponding Debian bug [1] which also includes a patch to serve as inspiration for a solution.
The build process (
include.sh
and friends) uses static filenames in/tmp/
, among them/tmp/closure_error.log
which in addition does not get removed after the build.This may lead to issues on shared systems: although symlink attacks on build systems are not a very likely scenario, this still becomes a problem if the files already exist but belong to another user - something that happens if several users on the same host try to build that code. Please also note that the build system does not catch or address that situation.
Please see the corresponding Debian bug [1] which also includes a patch to serve as inspiration for a solution.
Thanks, Sascha
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850879