Date: Wed, 21 Nov 2001 14:41:59 -0500 From: The Anarcat <anarcat@anarcat.dyndns.org> To: Eric Anderson <anderson@centtech.com> Cc: FreeBSD Security Issues <FreeBSD-security@freebsd.org> Subject: Re: fun with pkg_add Message-ID: <20011121194159.GA69296@shall.anarcat.dyndns.org> In-Reply-To: <3BFC025D.36710154@centtech.com> References: <20011121191808.GD44370@shall.anarcat.dyndns.org> <3BFC025D.36710154@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed Nov 21, 2001 at 01:37:01PM -0600, Eric Anderson wrote: > The only danger I see is a potential that the user could > replace the binary with a hacked version, between untaring > and installing, creating a breach. Yes. This is what I saw too. > Other than that, it's the same as a /var/tmp directory almost. Except that /var/tmp is a "known issue" and admins are generally aware of its vulnurability. Admins surely don't expect their installed packages to be overwritable. I will open a pr about this. A. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv8A4UACgkQttcWHAnWiGd2aQCdHzckZUYreDSKVtaVl/hkfWWe ZTsAnROAnjek6mBgldouNttfjTbWBjAC =g30E -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011121194159.GA69296>