Date: Fri, 20 Dec 2002 11:00:10 -0800 (PST) From: Arkadi Shishlov <arkadi@hosting.lv> To: freebsd-ports@FreeBSD.org Subject: Re: ports/46399: libdivxencore distfile has world writable files inside it Message-ID: <200212201900.gBKJ0A1r077567@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/46399; it has been noted by GNATS.
From: Arkadi Shishlov <arkadi@hosting.lv>
To: Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/46399: libdivxencore distfile has world writable files inside it
Date: Fri, 20 Dec 2002 20:58:23 +0200
On Fri, Dec 20, 2002 at 03:08:37PM -0200, Mario Sergio Fujikawa Ferreira wrote:
> Okay, the most appropriate fix to this attack would be
> setting a restrictive umask for your shell. That might be the reason
If you are care to test, just do it. My umask is 022.
> be adding a 'chmod a-w,u+w ${WRKDIR}' as a post-extract target so
> there would be always a window of opportunity for such an attack.
> However, unlikely.
Unlikely, but who cares about /tmp race conditions, that are also 'unlikely'..
Of course the exploitation of this possible race condition is not directly
controlled by user, but leaving o+w files in /usr/ports is not a sane
behaviour IMO.
At least you can fix libdivxencore. For now, I'm setting o-rx on my ports/.
> I can still add such a patch but umask should be your
> better friend. :) This is correct fix for all these issues, we
> cannot quite control how developers will package their distribution
> files. So you could have this problem with hundreds/thousands other
It is a question of trust, I trust RedHat not to put o+w files in .rpm.
I also want to trust FreeBSD ports not to do silly things just because
'we can't control it'. Developer are better to check source packages when
submitting new builds. Gentoo Linux, for example, sometimes repackage
original sources and almost always provide it from world-wide Gentoo
servers network.
>> Sorry for dummy Synopsys.
> Don't worry. :) You've just clarified it.
Is there any way to change PR info fields after PR is submited?
I can't find any information on FreeBSD site.
arkadi, just wondering what sometimes you can find on some systems with
find / -perm.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212201900.gBKJ0A1r077567>