From owner-freebsd-security Sun Nov 10 12:25:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F0FB37B401; Sun, 10 Nov 2002 12:25:06 -0800 (PST) Received: from aeimail.aei.ca (aeimail.aei.ca [206.123.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 219BA43E3B; Sun, 10 Nov 2002 12:25:05 -0800 (PST) (envelope-from anarcat@anarcat.ath.cx) Received: from shall.anarcat.ath.cx (4oghlbdebvyox7kp@dsl-130-203.aei.ca [66.36.130.203]) by aeimail.aei.ca (8.11.6/8.10.1) with ESMTP id gAAKOmX21616; Sun, 10 Nov 2002 15:24:49 -0500 (EST) Received: from lenny.anarcat.ath.cx (lenny.anarcat.ath.cx [192.168.0.4]) by shall.anarcat.ath.cx (Postfix) with SMTP id D6D773ED; Sun, 10 Nov 2002 15:24:46 -0500 (EST) Received: by lenny.anarcat.ath.cx (sSMTP sendmail emulation); Sun, 10 Nov 2002 15:24:49 -0500 Date: Sun, 10 Nov 2002 15:24:49 -0500 From: The Anarcat To: Joshua Goodall Cc: jdp@freebsd.org, security@freebsd.org Subject: Re: Security issue in net/cvsup-mirror port Message-ID: <20021110202449.GA296@lenny.anarcat.ath.cx> References: <20021109231151.GF33758@roughtrade.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: <20021109231151.GF33758@roughtrade.net> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You are perfectly right altought I don't understand why you feel you shouldn't file a PR for this. Also, I suggest the following patch instead: --- cvsupd.sh.orig Sun Nov 10 15:19:22 2002 +++ cvsupd.sh Sun Nov 10 15:23:08 2002 @@ -5,7 +5,7 @@ exit 1 fi base=3D${PREFIX}/etc/cvsup -rundir=3D/var/tmp +rundir=3D`mktemp -d /var/tmp/cvsupd.XXXXXX` out=3D${rundir}/cvsupd.out =20 export PATH=3D/bin:/usr/bin:${PREFIX}/sbin A. On Sun Nov 10, 2002 at 10:11:51AM +1100, Joshua Goodall wrote: > Hi, >=20 > Better not to file a PR for this, I feel. >=20 > I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that > it appends to the fixed-name file /var/tmp/cvsupd.out >=20 > Therefore if I were a malicious user, I could make a symlink of that > name in /var/tmp to effect arbitrary file corruption. If > I was really clever, I might point it at /root/.ssh/authorized_keys and > use secondary means to get cvsupd's output to include my public key. >=20 > Consider changing it to /var/log/cvsupd.out ? >=20 > Regards, > Joshua. >=20 > --=20 > Joshua Goodall > joshua@roughtrade.net "Your byte hit ratio is weak, old man" > "If you cache me now, I will dump more core than you can possibly imagine" >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 --=20 =46rom the age of uniformity, from the age of solitude, from the age of Big Brother, from the age of doublethink - greetings! --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9zsCQttcWHAnWiGcRAleSAJ95L97nPnoY77VWBG4ehMq9f+rvnACgoYa+ CmPkw9grLXJiHIYHnvP+vHk= =7YY3 -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message