Date: Thu, 30 Oct 1997 15:05:52 -0500 (EST) From: Matthew Hunt <mph@pobox.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: ports/4897: Fix: net/ircii-epic installs files with bad ownership Message-ID: <199710302005.PAA15351@mph124.rh.psu.edu> Resent-Message-ID: <199710302010.MAA06272@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4897 >Category: ports >Synopsis: Fix: net/ircii-epic installs files with bad ownership >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 30 12:10:01 PST 1997 >Last-Modified: >Originator: Matthew Hunt >Organization: none >Release: FreeBSD 2.2.5-RELEASE i386 >Environment: FreeBSD mph124.rh.psu.edu 2.2.5-RELEASE FreeBSD 2.2.5-RELEASE #0: Tue Oct 21 15:01:42 EDT 1997 hunt@mph124.rh.psu.edu:/usr/src/sys/compile/WOPR i386 >Description: My port of net/ircii-epic installs some files, including scripts, with the same numeric UID/GID as they are distributed in the tarball. This UID could collide with a real user, and the the user would own the scripts, allowing him to insert trojan code that other people running the client would execute. Discovered by: find / -nouser -nogroup Nice idea, didn't know it existed until today. >How-To-Repeat: >Fix: Apply the following patch. diff -uNr /usr/ports/net/ircii-epic/Makefile ircii-epic/Makefile --- /usr/ports/net/ircii-epic/Makefile Tue Jul 29 05:22:39 1997 +++ ircii-epic/Makefile Thu Oct 30 14:58:54 1997 @@ -18,6 +18,10 @@ GNU_CONFIGURE= yes WRKSRC= ${WRKDIR}/ircii-EPIC3.004 +do-install: + (cd ${WRKSRC} && make INSTALL_PROGRAM="${INSTALL_PROGRAM}" \ + INSTALL_DATA="${INSTALL_DATA}" install) + post-install: (cd $(PREFIX)/lib/irc && tar xzf $(DISTDIR)/ircii2.8.2-EPIC3.help.tar.gz) # Distfile has wrong permissions for... diff -uNr /usr/ports/net/ircii-epic/patches/patch-aa ircii-epic/patches/patch-aa --- /usr/ports/net/ircii-epic/patches/patch-aa Wed Dec 31 19:00:00 1969 +++ ircii-epic/patches/patch-aa Thu Oct 30 14:58:33 1997 @@ -0,0 +1,49 @@ +--- Makefile.in.orig Thu Oct 10 10:59:07 1996 ++++ Makefile.in Thu Oct 30 14:58:29 1997 +@@ -112,8 +112,8 @@ + LN = @LN@ + CP = cp + MV = mv +-INSTALL = ./bsdinstall -c -m 755 +-INSTALL_DATA = ../bsdinstall -c -m 644 ++#INSTALL = ./bsdinstall -c -m 755 ++#INSTALL_DATA = ../bsdinstall -c -m 644 + + VERSION = @VERSION@ + +@@ -151,7 +151,7 @@ + + installirc: irc installdirs test + if ./my_test \( ! -f $(INSTALL_IRC)-$(VERSION) \) -o source/irc -nt $(INSTALL_IRC)-$(VERSION); then \ +- $(INSTALL) source/irc $(INSTALL_IRC)-$(VERSION); \ ++ $(INSTALL_PROGRAM) source/irc $(INSTALL_IRC)-$(VERSION); \ + if ./my_test -f $(INSTALL_IRC).old; then $(RM) $(INSTALL_IRC).old; fi; \ + if ./my_test -f $(INSTALL_IRC); then $(MV) $(INSTALL_IRC) $(INSTALL_IRC).old; fi; \ + $(RM) $(INSTALL_IRC); \ +@@ -164,7 +164,7 @@ + + installserv: ircserv installdirs test + if ./my_test \( \! -f $(INSTALL_IRCSERV) \) -o source/ircserv -nt $(INSTALL_IRCSERV); then \ +- $(INSTALL) source/ircserv $(INSTALL_IRCSERV); \ ++ $(INSTALL_PROGRAM) source/ircserv $(INSTALL_IRCSERV); \ + fi + + +@@ -173,7 +173,7 @@ + + installflush: ircflush installdirs test + if ./my_test \( \! -f $(INSTALL_IRCFLUSH) \) -o source/ircflush -nt $(INSTALL_IRCFLUSH); then \ +- $(INSTALL) source/ircflush $(INSTALL_IRCFLUSH); \ ++ $(INSTALL_PROGRAM) source/ircflush $(INSTALL_IRCFLUSH); \ + fi + + +@@ -182,7 +182,7 @@ + + installwserv: wserv installdirs test + if ./my_test \( \! -f $(INSTALL_WSERV) \) -o source/wserv -nt $(INSTALL_WSERV); then \ +- $(INSTALL) source/wserv $(INSTALL_WSERV); \ ++ $(INSTALL_PROGRAM) source/wserv $(INSTALL_WSERV); \ + fi + + >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710302005.PAA15351>