Re: Security issue in net/cvsup-mirror port

From: The Anarcat (anarcat@anarcat.ath.cx)
Date: 11/10/02


Date: Sun, 10 Nov 2002 15:24:49 -0500
From: The Anarcat <anarcat@anarcat.ath.cx>
To: Joshua Goodall <joshua@roughtrade.net>


You are perfectly right altought I don't understand why you feel you
shouldn't file a PR for this.

Also, I suggest the following patch instead:

--- cvsupd.sh.orig Sun Nov 10 15:19:22 2002
+++ cvsupd.sh Sun Nov 10 15:23:08 2002
@@ -5,7 +5,7 @@
     exit 1
 fi
 base=${PREFIX}/etc/cvsup
-rundir=/var/tmp
+rundir=`mktemp -d /var/tmp/cvsupd.XXXXXX`
 out=${rundir}/cvsupd.out
 
 export PATH=/bin:/usr/bin:${PREFIX}/sbin

A.

On Sun Nov 10, 2002 at 10:11:51AM +1100, Joshua Goodall wrote:
> Hi,
>
> Better not to file a PR for this, I feel.
>
> I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that
> it appends to the fixed-name file /var/tmp/cvsupd.out
>
> Therefore if I were a malicious user, I could make a symlink of that
> name in /var/tmp to effect arbitrary file corruption. If
> I was really clever, I might point it at /root/.ssh/authorized_keys and
> use secondary means to get cvsupd's output to include my public key.
>
> Consider changing it to /var/log/cvsupd.out ?
>
> Regards,
> Joshua.
>
> --
> Joshua Goodall
> joshua@roughtrade.net "Your byte hit ratio is weak, old man"
> "If you cache me now, I will dump more core than you can possibly imagine"
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

-- 
From the age of uniformity, from the age of solitude, from the age of
Big Brother, from the age of doublethink - greetings!

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message