Hi,

Better not to file a PR for this, I feel.

I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that
it appends to the fixed-name file /var/tmp/cvsupd.out

Therefore if I were a malicious user, I could make a symlink of that
name in /var/tmp to effect arbitrary file corruption. If
I was really clever, I might point it at /root/.ssh/authorized_keys and
use secondary means to get cvsupd's output to include my public key.

Consider changing it to /var/log/cvsupd.out ?

Regards,
Joshua.

-- 
Joshua Goodall
joshuaroughtrade.net               "Your byte hit ratio is weak, old man"
"If you cache me now, I will dump more core than you can possibly imagine"
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]