From owner-freebsd-security Wed Nov 21 11:45:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts11-srv.bellnexxia.net (tomts11.bellnexxia.net [209.226.175.55]) by hub.freebsd.org (Postfix) with ESMTP id 433E037B416 for ; Wed, 21 Nov 2001 11:45:01 -0800 (PST) Received: from khan.anarcat.dyndns.org ([65.94.128.110]) by tomts11-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20011121194500.PXQH24249.tomts11-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Wed, 21 Nov 2001 14:45:00 -0500 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 1688118D3; Wed, 21 Nov 2001 14:46:12 -0500 (EST) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 15C8720ADB; Wed, 21 Nov 2001 14:46:35 -0500 (EST) Date: Wed, 21 Nov 2001 14:46:34 -0500 From: The Anarcat To: airot@lazir.toya.net.pl Cc: FreeBSD Security Issues Subject: Re: fun with pkg_add Message-ID: <20011121194634.GB69296@shall.anarcat.dyndns.org> Mail-Followup-To: airot@lazir.toya.net.pl, FreeBSD Security Issues References: <20011121191808.GD44370@shall.anarcat.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0eh6TmSyL6TZE2Uz" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --0eh6TmSyL6TZE2Uz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed Nov 21, 2001 at 08:38:06PM +0100, airot@lazir.toya.net.pl wrote: >=20 >=20 > On Wed, 21 Nov 2001, The Anarcat wrote: >=20 > > Hi! > > > > I just noticed something that could be a problem with pkg_add > > algorithms. When it installs a package, it first untars it in a > > temporary directory. The problem is that the subdirectories of the > > package created this way are world-writable: > > > > $ ftp -a ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/All/auctex-10= .0g.tgz > > $ pkg_add auctex-10.0g.tgz > > ^Z > ^Z is SIGTSTP it susspend prcoesses, there is a very small posibilty that > our 'attacker' will change somthing when you are installing package. ;-) Wrong. With large packages such as XFree86, the untarring actually takes a few minutes, sometimes, and thus leave a large window of attack. > I didn`t check the /var/tmp/inst* directory permissions, but i guess it`s > imposible to exploit this security issue. Again, I do not agree, as I have exploited this security issue. It might be related to some misconfiguration on my side (but I doubt it), and it is why I sent this to the list first, to get some confirmation of the bug. A. --0eh6TmSyL6TZE2Uz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv8BJkACgkQttcWHAnWiGeaowCeLHroQl3psl6x45uuAglEXYR+ JHAAn3O8j4WknM7fw4/p9e8Zw4KYAjhb =vcth -----END PGP SIGNATURE----- --0eh6TmSyL6TZE2Uz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message