Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 10 Nov 2002 15:24:49 -0500
From:      The Anarcat <anarcat@anarcat.ath.cx>
To:        Joshua Goodall <joshua@roughtrade.net>
Cc:        jdp@freebsd.org, security@freebsd.org
Subject:   Re: Security issue in net/cvsup-mirror port
Message-ID:  <20021110202449.GA296@lenny.anarcat.ath.cx>
In-Reply-To: <20021109231151.GF33758@roughtrade.net>
References:  <20021109231151.GF33758@roughtrade.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
You are perfectly right altought I don't understand why you feel you
shouldn't file a PR for this.

Also, I suggest the following patch instead:

--- cvsupd.sh.orig      Sun Nov 10 15:19:22 2002
+++ cvsupd.sh   Sun Nov 10 15:23:08 2002
@@ -5,7 +5,7 @@
     exit 1
 fi
 base=${PREFIX}/etc/cvsup
-rundir=/var/tmp
+rundir=`mktemp -d /var/tmp/cvsupd.XXXXXX`
 out=${rundir}/cvsupd.out
 
 export PATH=/bin:/usr/bin:${PREFIX}/sbin

A.

On Sun Nov 10, 2002 at 10:11:51AM +1100, Joshua Goodall wrote:
> Hi,
> 
> Better not to file a PR for this, I feel.
> 
> I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that
> it appends to the fixed-name file /var/tmp/cvsupd.out
> 
> Therefore if I were a malicious user, I could make a symlink of that
> name in /var/tmp to effect arbitrary file corruption.  If
> I was really clever, I might point it at /root/.ssh/authorized_keys and
> use secondary means to get cvsupd's output to include my public key.
> 
> Consider changing it to /var/log/cvsupd.out ?
> 
> Regards,
> Joshua.
> 
> -- 
> Joshua Goodall
> joshua@roughtrade.net               "Your byte hit ratio is weak, old man"
> "If you cache me now, I will dump more core than you can possibly imagine"
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



-- 
From the age of uniformity, from the age of solitude, from the age of
Big Brother, from the age of doublethink - greetings!

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)

iD8DBQE9zsCQttcWHAnWiGcRAleSAJ95L97nPnoY77VWBG4ehMq9f+rvnACgoYa+
CmPkw9grLXJiHIYHnvP+vHk=
=7YY3
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021110202449.GA296>