Date: Thu, 30 Oct 1997 15:05:52 -0500 (EST) From: Matthew Hunt <mph@pobox.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: ports/4897: Fix: net/ircii-epic installs files with bad ownership Message-ID: <199710302005.PAA15351@mph124.rh.psu.edu> Resent-Message-ID: <199710302010.MAA06272@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4897
>Category: ports
>Synopsis: Fix: net/ircii-epic installs files with bad ownership
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 30 12:10:01 PST 1997
>Last-Modified:
>Originator: Matthew Hunt
>Organization:
none
>Release: FreeBSD 2.2.5-RELEASE i386
>Environment:
FreeBSD mph124.rh.psu.edu 2.2.5-RELEASE FreeBSD 2.2.5-RELEASE #0: Tue Oct 21 15:01:42 EDT 1997 hunt@mph124.rh.psu.edu:/usr/src/sys/compile/WOPR i386
>Description:
My port of net/ircii-epic installs some files, including scripts, with the
same numeric UID/GID as they are distributed in the tarball. This UID
could collide with a real user, and the the user would own the scripts,
allowing him to insert trojan code that other people running the client would
execute.
Discovered by: find / -nouser -nogroup
Nice idea, didn't know it existed until today.
>How-To-Repeat:
>Fix:
Apply the following patch.
diff -uNr /usr/ports/net/ircii-epic/Makefile ircii-epic/Makefile
--- /usr/ports/net/ircii-epic/Makefile Tue Jul 29 05:22:39 1997
+++ ircii-epic/Makefile Thu Oct 30 14:58:54 1997
@@ -18,6 +18,10 @@
GNU_CONFIGURE= yes
WRKSRC= ${WRKDIR}/ircii-EPIC3.004
+do-install:
+ (cd ${WRKSRC} && make INSTALL_PROGRAM="${INSTALL_PROGRAM}" \
+ INSTALL_DATA="${INSTALL_DATA}" install)
+
post-install:
(cd $(PREFIX)/lib/irc && tar xzf $(DISTDIR)/ircii2.8.2-EPIC3.help.tar.gz)
# Distfile has wrong permissions for...
diff -uNr /usr/ports/net/ircii-epic/patches/patch-aa ircii-epic/patches/patch-aa
--- /usr/ports/net/ircii-epic/patches/patch-aa Wed Dec 31 19:00:00 1969
+++ ircii-epic/patches/patch-aa Thu Oct 30 14:58:33 1997
@@ -0,0 +1,49 @@
+--- Makefile.in.orig Thu Oct 10 10:59:07 1996
++++ Makefile.in Thu Oct 30 14:58:29 1997
+@@ -112,8 +112,8 @@
+ LN = @LN@
+ CP = cp
+ MV = mv
+-INSTALL = ./bsdinstall -c -m 755
+-INSTALL_DATA = ../bsdinstall -c -m 644
++#INSTALL = ./bsdinstall -c -m 755
++#INSTALL_DATA = ../bsdinstall -c -m 644
+
+ VERSION = @VERSION@
+
+@@ -151,7 +151,7 @@
+
+ installirc: irc installdirs test
+ if ./my_test \( ! -f $(INSTALL_IRC)-$(VERSION) \) -o source/irc -nt $(INSTALL_IRC)-$(VERSION); then \
+- $(INSTALL) source/irc $(INSTALL_IRC)-$(VERSION); \
++ $(INSTALL_PROGRAM) source/irc $(INSTALL_IRC)-$(VERSION); \
+ if ./my_test -f $(INSTALL_IRC).old; then $(RM) $(INSTALL_IRC).old; fi; \
+ if ./my_test -f $(INSTALL_IRC); then $(MV) $(INSTALL_IRC) $(INSTALL_IRC).old; fi; \
+ $(RM) $(INSTALL_IRC); \
+@@ -164,7 +164,7 @@
+
+ installserv: ircserv installdirs test
+ if ./my_test \( \! -f $(INSTALL_IRCSERV) \) -o source/ircserv -nt $(INSTALL_IRCSERV); then \
+- $(INSTALL) source/ircserv $(INSTALL_IRCSERV); \
++ $(INSTALL_PROGRAM) source/ircserv $(INSTALL_IRCSERV); \
+ fi
+
+
+@@ -173,7 +173,7 @@
+
+ installflush: ircflush installdirs test
+ if ./my_test \( \! -f $(INSTALL_IRCFLUSH) \) -o source/ircflush -nt $(INSTALL_IRCFLUSH); then \
+- $(INSTALL) source/ircflush $(INSTALL_IRCFLUSH); \
++ $(INSTALL_PROGRAM) source/ircflush $(INSTALL_IRCFLUSH); \
+ fi
+
+
+@@ -182,7 +182,7 @@
+
+ installwserv: wserv installdirs test
+ if ./my_test \( \! -f $(INSTALL_WSERV) \) -o source/wserv -nt $(INSTALL_WSERV); then \
+- $(INSTALL) source/wserv $(INSTALL_WSERV); \
++ $(INSTALL_PROGRAM) source/wserv $(INSTALL_WSERV); \
+ fi
+
+
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710302005.PAA15351>