Date: Mon, 11 Nov 2002 14:37:49 -0800 (PST) From: John Polstra <jdp@polstra.com> To: hubs@freebsd.org Subject: Security update for the cvsup-mirror port Message-ID: <XFMail.20021111143749.jdp@polstra.com>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- This mail is for CVSup mirror site maintainers using the "cvsup-mirror" port. A potential vulnerability was discovered in the cvsupd start-up script for this port, normally installed as "/usr/local/etc/rc.d/cvsupd.sh". I have committed a fix to the cvsupd-mirror port, and I recommend that you update your mirror to the latest version of the port. The fixed version is "cvsup-mirror-1.2_1". Instructions for a quick update can be found below. The potential vulnerability involves a file which is created in /var/tmp by the cvsupd start-up script. A local user might be able to create a symbolic link of the same name, pointing to an arbitrary system file. If cvsupd crashed and wrote a failure message to its standard error or standard output, that message would be appended to the referenced file. There have been no known exploits, but it would still be a good idea for each of you to eliminate the vulnerability by updating your sites. If you do not want to reinstall the cvsup-mirror port, you can update your site quickly as follows: 1. Obtain the fixed version of cvsupd.sh with this command. The command is broken up into multiple lines in an attempt to prevent mailers from mangling it. fetch -o cvsupd.sh \ "http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/\ ports/net/cvsup-mirror/files/\ cvsupd.sh?rev=1.7&content-type=text/plain" 2. Verify the MD5 checksum of the fetched file with this command: md5 cvsupd.sh The output should be: MD5 (cvsupd.sh) = d1fd341f75dfa7c3cc459a6b4d3606e7 Do not use the file if you get different output. 3. Stop cvsupd by typing "/usr/local/etc/rc.d/cvsupd.sh stop". In this step and in subsequent steps, adjust the pathname if you have a non-standard installation. 4. Copy the new cvsupd.sh file to "/usr/local/etc/rc.d/cvsupd.sh". Make sure the file has mode 755 after you copy it. Make sure it is owned by root. 5. Restart cvsupd by typing "/usr/local/etc/rc.d/cvsupd.sh start". 6. Verify that your mirror is up and running again. John Polstra CVSup Guy -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPdAxAsdm8Q+/vPRJAQHCVgP/bqrZROfPdIVPeOSX5s9unHQejFIHdY6l K2ehugedQg557Q1D2yxcyinRS3S4HbShDiLcrfJphWinh5Wsp06kh3qNeZfnlpXO 6CEKJSGEzpIY2oeFFeSqgNe1VUOq9d1nisqECgcyavlH41guUs4SclhLkZg87Pu0 yuGI+i2BXHQ= =Wyyu -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hubs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20021111143749.jdp>