From owner-freebsd-ports Fri Dec 20 11: 0:16 2002 Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A134837B401 for ; Fri, 20 Dec 2002 11:00:14 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5083D43ED8 for ; Fri, 20 Dec 2002 11:00:14 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gBKJ0ANS077568 for ; Fri, 20 Dec 2002 11:00:10 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gBKJ0A1r077567; Fri, 20 Dec 2002 11:00:10 -0800 (PST) Date: Fri, 20 Dec 2002 11:00:10 -0800 (PST) Message-Id: <200212201900.gBKJ0A1r077567@freefall.freebsd.org> To: freebsd-ports@FreeBSD.org Cc: From: Arkadi Shishlov Subject: Re: ports/46399: libdivxencore distfile has world writable files inside it Reply-To: Arkadi Shishlov Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR ports/46399; it has been noted by GNATS. From: Arkadi Shishlov To: Mario Sergio Fujikawa Ferreira Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: ports/46399: libdivxencore distfile has world writable files inside it Date: Fri, 20 Dec 2002 20:58:23 +0200 On Fri, Dec 20, 2002 at 03:08:37PM -0200, Mario Sergio Fujikawa Ferreira wrote: > Okay, the most appropriate fix to this attack would be > setting a restrictive umask for your shell. That might be the reason If you are care to test, just do it. My umask is 022. > be adding a 'chmod a-w,u+w ${WRKDIR}' as a post-extract target so > there would be always a window of opportunity for such an attack. > However, unlikely. Unlikely, but who cares about /tmp race conditions, that are also 'unlikely'.. Of course the exploitation of this possible race condition is not directly controlled by user, but leaving o+w files in /usr/ports is not a sane behaviour IMO. At least you can fix libdivxencore. For now, I'm setting o-rx on my ports/. > I can still add such a patch but umask should be your > better friend. :) This is correct fix for all these issues, we > cannot quite control how developers will package their distribution > files. So you could have this problem with hundreds/thousands other It is a question of trust, I trust RedHat not to put o+w files in .rpm. I also want to trust FreeBSD ports not to do silly things just because 'we can't control it'. Developer are better to check source packages when submitting new builds. Gentoo Linux, for example, sometimes repackage original sources and almost always provide it from world-wide Gentoo servers network. >> Sorry for dummy Synopsys. > Don't worry. :) You've just clarified it. Is there any way to change PR info fields after PR is submited? I can't find any information on FreeBSD site. arkadi, just wondering what sometimes you can find on some systems with find / -perm. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message