From owner-freebsd-current@FreeBSD.ORG Thu May 23 06:50:24 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C3CD6A6C for ; Thu, 23 May 2013 06:50:24 +0000 (UTC) (envelope-from dt71@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by mx1.freebsd.org (Postfix) with ESMTP id 678908BC for ; Thu, 23 May 2013 06:50:24 +0000 (UTC) Received: from [192.168.1.80] ([84.2.8.70]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Mh9cj-1UsNw61z5l-00MNcK for ; Thu, 23 May 2013 08:50:23 +0200 Message-ID: <519DBC27.9030600@gmx.com> Date: Thu, 23 May 2013 08:50:15 +0200 From: dt71@gmx.com User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:20.0) Gecko/20100101 Firefox/20.0 SeaMonkey/2.17 MIME-Version: 1.0 To: freebsd-current@freebsd.org Subject: absolute paths in port patch files Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:WMRa9pAzsbu+BVAN95r0oqAc2FLvMdRBNBDZbwUxDN0GfZ6pOuZ Om8wQRYZhxlsPPmSTBvv1Phff4WXI62qqfWOWryzBwxZOXKS2gqdqShKCqGG1bcrIXZDN2a EKMEqFxFvUXPgmtH5rxPMhSxl8pj6TeQ4KTQ3ax0+NpMZnes9Z7mi35ugac5O8+NpCeZ5mm RnMeqxyjKY5rUjJ67chaA== X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 May 2013 06:50:24 -0000 In the ports system, some patch files use absolute paths. Run ls -d /usr/ports/*/*/files | xargs -IX grep -rnE '^([+][+][+]|---) /' X to see what I mean. For example, there is: /usr/ports/textproc/texi2html/files/patch-texi2html.pl:2:+++ /usr/local/bin/texi2html 2012-07-09 10:53:16.000000000 +0200 Some patch files refer to target files in the /tmp directory. Theoretically, this means that malicious regular users are able to fiddle with the patching process: by creating the target files in the /tmp directory, they are able to silently cause patches to apply to bogus files in the /tmp directory instead of the intended files in the port's work directory. In the extreme case, a malicious user could cause ports to be built without certain security patches. The user could also try a symlink attack. Some patch files refer to target files that "will be" installed, such as /usr/local/bin/texi2html. A patch in the textproc/texi2html port was the basis for me finding out about this issue: the port was already installed, and was being built to be reinstalled, and the patching process tried to modify the installed /usr/local/bin/texi2html file, but failed (the following files were created: /usr/local/bin/texi2html.orig and /usr/local/bin/texi2html.rej). However, theoretically, if the patching process succeeds on the already-installed files, then later, unpatched files will be reinstalled. Some patch files refer directly to target files in the /usr/ports directory, others to the /home directory. These are practically harmless. In all cases, absolute paths should be replaced with relative paths. At the time of this writing, the malicious user thing is just theory, while the texi2html is just an annoying build bug. It seems that this path issue doesn't warrant much noise.