From owner-freebsd-ports Wed Sep 18 0:30:12 2002 Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E01F37B404 for ; Wed, 18 Sep 2002 00:30:10 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB76443E6A for ; Wed, 18 Sep 2002 00:30:08 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8I7U8Co059494 for ; Wed, 18 Sep 2002 00:30:08 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8I7U8eU059493; Wed, 18 Sep 2002 00:30:08 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 344F737B401 for ; Wed, 18 Sep 2002 00:22:14 -0700 (PDT) Received: from shell.dragondata.com (einsteinium.4ph.com [66.197.0.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51BC443E4A for ; Wed, 18 Sep 2002 00:22:13 -0700 (PDT) (envelope-from toasty@shell.dragondata.com) Received: (from root@localhost) by shell.dragondata.com (8.11.4/8.11.3) id g8I7MCc39201 for freebsd-gnats-submit@freebsd.org; Wed, 18 Sep 2002 02:22:12 -0500 (CDT) (envelope-from toasty) Received: (from root@localhost) by shell.dragondata.com (8.11.4/8.11.3av) id g8I7MB239189; Wed, 18 Sep 2002 02:22:11 -0500 (CDT) (envelope-from toasty) Message-Id: <200209180722.g8I7MB239189@shell.dragondata.com> Date: Wed, 18 Sep 2002 02:22:11 -0500 (CDT) From: Kevin Day Reply-To: Kevin Day To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/42920: [MAINTAINER PATCH] [SECURITY] Update for editors/joe - drop sgid/suid on backup files Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 42920 >Category: ports >Synopsis: [MAINTAINER PATCH] [SECURITY] Update for editors/joe - drop sgid/suid on backup files >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Sep 18 00:30:08 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Kevin Day >Release: FreeBSD 4.6-STABLE i386 >Organization: Dragondata >Environment: System: FreeBSD shell.dragondata.com 4.6-STABLE FreeBSD 4.6-STABLE #4: Mon Mar 4 00:26:04 CST 2002 toasty@shell.dragondata.com:/usr/src/sys/compile/SHELL i386 >Description: A post on Bugtraq (<20020917183024.GA7393@yakuza.salon.cz>) brought up a somewhat minor flaw in the JOE editor. Backups of sgid/suid files should drop the sgid/suid bits, because backup files are owned by the user running joe, not the owner of the file. >How-To-Repeat: Create a file such as this: -rwsr-sr-x 1 toasty toasty 2 Sep 18 02:00 test.file As root, open/save it, and this backup file is created: -rwsr-sr-x 1 root wheel 2 Sep 18 01:58 test.file~ It would require some impressive social engineering to take advantage of this, but it's still not a good idea. >Fix: Add patch-ak to ports/editors/files: --- ufile.c.orig Fri Jan 13 11:13:16 1995 +++ ufile.c Wed Sep 18 02:10:05 2002 @@ -149,7 +149,7 @@ f=open(from,O_RDONLY); if(f<0) return -1; if(fstat(f,&sbuf)<0) return -1; - g=creat(to,sbuf.st_mode); + g=creat(to,sbuf.st_mode&~(S_ISGID|S_ISUID)); if(g<0) { close(f); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message