From owner-freebsd-security  Mon Nov 11  3:15: 2 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AE3A737B401; Mon, 11 Nov 2002 03:14:59 -0800 (PST)
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id E692543E6E; Mon, 11 Nov 2002 03:14:58 -0800 (PST)
	(envelope-from Jan.Grant@bristol.ac.uk)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Mon, 11 Nov 2002 11:14:49 +0000
Received: from cmjg (helo=localhost)	by mail.ilrt.bris.ac.uk 
          with local-esmtp (Exim 3.16 #1)	id 18BCWP-0007d0-00;
          Mon, 11 Nov 2002 11:14:25 +0000
Date: Mon, 11 Nov 2002 11:14:25 +0000 (GMT)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
X-X-Sender: cmjg@mail.ilrt.bris.ac.uk
To: Joshua Goodall <joshua@roughtrade.net>
Cc: jdp@freebsd.org, security <security@freebsd.org>
Subject: Re: Security issue in net/cvsup-mirror port
In-Reply-To: <20021109231151.GF33758@roughtrade.net>
Message-ID: <Pine.GSO.4.44.0211111114070.27378-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, 10 Nov 2002, Joshua Goodall wrote:

> Hi,
>
> Better not to file a PR for this, I feel.
>
> I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that
> it appends to the fixed-name file /var/tmp/cvsupd.out
>
> Therefore if I were a malicious user, I could make a symlink of that
> name in /var/tmp to effect arbitrary file corruption.  If
> I was really clever, I might point it at /root/.ssh/authorized_keys and
> use secondary means to get cvsupd's output to include my public key.
>
> Consider changing it to /var/log/cvsupd.out ?

Yep. Also, consider mounting /var/tmp with nosymfollow.


-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/
Hang on, wasn't he holding a wooden parrot? No! It was a porcelain owl.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message