From owner-freebsd-security Sat Nov 9 15:11:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1391837B401; Sat, 9 Nov 2002 15:11:53 -0800 (PST) Received: from yello.shallow.net (yello.shallow.net [203.18.243.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id A997843E42; Sat, 9 Nov 2002 15:11:52 -0800 (PST) (envelope-from joshua@shallow.net) Received: by yello.shallow.net (Postfix, from userid 1001) id 8E37F2A5B; Sun, 10 Nov 2002 10:11:51 +1100 (EST) Date: Sun, 10 Nov 2002 10:11:51 +1100 From: Joshua Goodall To: jdp@freebsd.org Cc: security@freebsd.org Subject: Security issue in net/cvsup-mirror port Message-ID: <20021109231151.GF33758@roughtrade.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Better not to file a PR for this, I feel. I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that it appends to the fixed-name file /var/tmp/cvsupd.out Therefore if I were a malicious user, I could make a symlink of that name in /var/tmp to effect arbitrary file corruption. If I was really clever, I might point it at /root/.ssh/authorized_keys and use secondary means to get cvsupd's output to include my public key. Consider changing it to /var/log/cvsupd.out ? Regards, Joshua. -- Joshua Goodall joshua@roughtrade.net "Your byte hit ratio is weak, old man" "If you cache me now, I will dump more core than you can possibly imagine" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message