You are perfectly right altought I don't understand why you feel you
shouldn't file a PR for this.

Also, I suggest the following patch instead:

--- cvsupd.sh.orig Sun Nov 10 15:19:22 2002
+++ cvsupd.sh Sun Nov 10 15:23:08 2002
-5,7 +5,7
     exit 1
 fi
 base=${PREFIX}/etc/cvsup
-rundir=/var/tmp
+rundir=`mktemp -d /var/tmp/cvsupd.XXXXXX`
 out=${rundir}/cvsupd.out
 
 export PATH=/bin:/usr/bin:${PREFIX}/sbin

A.

On Sun Nov 10, 2002 at 10:11:51AM +1100, Joshua Goodall wrote:
> Hi,
>
> Better not to file a PR for this, I feel.
>
> I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that
> it appends to the fixed-name file /var/tmp/cvsupd.out
>
> Therefore if I were a malicious user, I could make a symlink of that
> name in /var/tmp to effect arbitrary file corruption. If
> I was really clever, I might point it at /root/.ssh/authorized_keys and
> use secondary means to get cvsupd's output to include my public key.
>
> Consider changing it to /var/log/cvsupd.out ?
>
> Regards,
> Joshua.
>
> --
> Joshua Goodall
> joshuaroughtrade.net "Your byte hit ratio is weak, old man"
> "If you cache me now, I will dump more core than you can possibly imagine"
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

-- 
From the age of uniformity, from the age of solitude, from the age of
Big Brother, from the age of doublethink - greetings!

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD)

iD8DBQE9zsCQttcWHAnWiGcRAleSAJ95L97nPnoY77VWBG4ehMq9f+rvnACgoYa+ CmPkw9grLXJiHIYHnvP+vHk= =7YY3 -----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]