Date: Wed, 21 Nov 2001 14:41:59 -0500 From: The Anarcat <anarcat@anarcat.dyndns.org> To: Eric Anderson <anderson@centtech.com> Cc: FreeBSD Security Issues <FreeBSD-security@freebsd.org> Subject: Re: fun with pkg_add Message-ID: <20011121194159.GA69296@shall.anarcat.dyndns.org> In-Reply-To: <3BFC025D.36710154@centtech.com> References: <20011121191808.GD44370@shall.anarcat.dyndns.org> <3BFC025D.36710154@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed Nov 21, 2001 at 01:37:01PM -0600, Eric Anderson wrote: > The only danger I see is a potential that the user could > replace the binary with a hacked version, between untaring > and installing, creating a breach.=20 Yes. This is what I saw too. > Other than that, it's the same as a /var/tmp directory almost.=20 Except that /var/tmp is a "known issue" and admins are generally aware of its vulnurability. Admins surely don't expect their installed packages to be overwritable. I will open a pr about this. A. --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv8A4UACgkQttcWHAnWiGd2aQCdHzckZUYreDSKVtaVl/hkfWWe ZTsAnROAnjek6mBgldouNttfjTbWBjAC =g30E -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011121194159.GA69296>