Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Jul 2000 23:40:49 -0700 (PDT)
From:      mirchr@sunyit.edu
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/19862: The port xtrojka contains a bug that could be maliciously exploited by a local user.
Message-ID:  <20000712064049.5382537BBEC@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         19862
>Category:       ports
>Synopsis:       The port xtrojka contains a bug that could be maliciously exploited by a local user.
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 11 23:50:02 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Rich Mirch
>Release:        4.0-RELEASE
>Organization:
>Environment:
FreeBSD xxxx.my.host.com 4.0-RELEASE FreeBSD 4.0-RELEASE #1: Thu May 11 09:08:34 EDT 2000     root@xxxx.my.host.com:/usr/src/sys/compile/MYHOST  i386
>Description:
There exists a bug in the Makefile which if exploited by a malicious
local user, any arbitrary file can be overwritten. Under the install
label the first line reads

echo $(HSFILE)|sed -e 's/\//\\\//g'>/tmp/hsn

The redirection is used blindly and assumes that the file /tmp/hsn does
not exist. If a malicious user was to create a symbolic link to any 
file on the system (ie: /etc/passwd), the file will be over written
with the contents "\/usr\/local\/share\/xtrojka\/xtrojka.scores". Of
course the user has to anticipate the installation by creating the link
prior so it might be tricky to get installed, but could easily ask 
the administrator to install the package which will be as root and
thus overwrite any system file.

>How-To-Repeat:
cd /usr/ports/games/xtrojka
make
make install


note: I am mailing the author as well as security-officer@FreeBSD.org
      with the same information.
>Fix:
I added to the Makefile to remove the file /tmp/hsn prior to and after
the installation. While this is a quick fix to get around the problem,
there do exist more secure ways to deal with this.

patches mailed to security-officer@FreeBSD.org

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000712064049.5382537BBEC>