Date: Tue, 11 Jul 2000 23:40:49 -0700 (PDT) From: mirchr@sunyit.edu To: freebsd-gnats-submit@FreeBSD.org Subject: ports/19862: The port xtrojka contains a bug that could be maliciously exploited by a local user. Message-ID: <20000712064049.5382537BBEC@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 19862 >Category: ports >Synopsis: The port xtrojka contains a bug that could be maliciously exploited by a local user. >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 11 23:50:02 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Rich Mirch >Release: 4.0-RELEASE >Organization: >Environment: FreeBSD xxxx.my.host.com 4.0-RELEASE FreeBSD 4.0-RELEASE #1: Thu May 11 09:08:34 EDT 2000 root@xxxx.my.host.com:/usr/src/sys/compile/MYHOST i386 >Description: There exists a bug in the Makefile which if exploited by a malicious local user, any arbitrary file can be overwritten. Under the install label the first line reads echo $(HSFILE)|sed -e 's/\//\\\//g'>/tmp/hsn The redirection is used blindly and assumes that the file /tmp/hsn does not exist. If a malicious user was to create a symbolic link to any file on the system (ie: /etc/passwd), the file will be over written with the contents "\/usr\/local\/share\/xtrojka\/xtrojka.scores". Of course the user has to anticipate the installation by creating the link prior so it might be tricky to get installed, but could easily ask the administrator to install the package which will be as root and thus overwrite any system file. >How-To-Repeat: cd /usr/ports/games/xtrojka make make install note: I am mailing the author as well as security-officer@FreeBSD.org with the same information. >Fix: I added to the Makefile to remove the file /tmp/hsn prior to and after the installation. While this is a quick fix to get around the problem, there do exist more secure ways to deal with this. patches mailed to security-officer@FreeBSD.org >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000712064049.5382537BBEC>