Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 10 Nov 2002 15:24:49 -0500
From:      The Anarcat <anarcat@anarcat.ath.cx>
To:        Joshua Goodall <joshua@roughtrade.net>
Cc:        jdp@freebsd.org, security@freebsd.org
Subject:   Re: Security issue in net/cvsup-mirror port
Message-ID:  <20021110202449.GA296@lenny.anarcat.ath.cx>
In-Reply-To: <20021109231151.GF33758@roughtrade.net>
References:  <20021109231151.GF33758@roughtrade.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

--uAKRQypu60I7Lcqm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

You are perfectly right altought I don't understand why you feel you
shouldn't file a PR for this.

Also, I suggest the following patch instead:

--- cvsupd.sh.orig      Sun Nov 10 15:19:22 2002
+++ cvsupd.sh   Sun Nov 10 15:23:08 2002
@@ -5,7 +5,7 @@
     exit 1
 fi
 base=3D${PREFIX}/etc/cvsup
-rundir=3D/var/tmp
+rundir=3D`mktemp -d /var/tmp/cvsupd.XXXXXX`
 out=3D${rundir}/cvsupd.out
=20
 export PATH=3D/bin:/usr/bin:${PREFIX}/sbin

A.

On Sun Nov 10, 2002 at 10:11:51AM +1100, Joshua Goodall wrote:
> Hi,
>=20
> Better not to file a PR for this, I feel.
>=20
> I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that
> it appends to the fixed-name file /var/tmp/cvsupd.out
>=20
> Therefore if I were a malicious user, I could make a symlink of that
> name in /var/tmp to effect arbitrary file corruption.  If
> I was really clever, I might point it at /root/.ssh/authorized_keys and
> use secondary means to get cvsupd's output to include my public key.
>=20
> Consider changing it to /var/log/cvsupd.out ?
>=20
> Regards,
> Joshua.
>=20
> --=20
> Joshua Goodall
> joshua@roughtrade.net               "Your byte hit ratio is weak, old man"
> "If you cache me now, I will dump more core than you can possibly imagine"
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>=20



--=20
=46rom the age of uniformity, from the age of solitude, from the age of
Big Brother, from the age of doublethink - greetings!

--uAKRQypu60I7Lcqm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)

iD8DBQE9zsCQttcWHAnWiGcRAleSAJ95L97nPnoY77VWBG4ehMq9f+rvnACgoYa+
CmPkw9grLXJiHIYHnvP+vHk=
=7YY3
-----END PGP SIGNATURE-----

--uAKRQypu60I7Lcqm--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021110202449.GA296>