From owner-freebsd-ports Tue Jul 11 23:50:12 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5037437BC61 for ; Tue, 11 Jul 2000 23:50:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id XAA69397; Tue, 11 Jul 2000 23:50:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 5382537BBEC; Tue, 11 Jul 2000 23:40:49 -0700 (PDT) Message-Id: <20000712064049.5382537BBEC@hub.freebsd.org> Date: Tue, 11 Jul 2000 23:40:49 -0700 (PDT) From: mirchr@sunyit.edu To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: ports/19862: The port xtrojka contains a bug that could be maliciously exploited by a local user. Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19862 >Category: ports >Synopsis: The port xtrojka contains a bug that could be maliciously exploited by a local user. >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 11 23:50:02 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Rich Mirch >Release: 4.0-RELEASE >Organization: >Environment: FreeBSD xxxx.my.host.com 4.0-RELEASE FreeBSD 4.0-RELEASE #1: Thu May 11 09:08:34 EDT 2000 root@xxxx.my.host.com:/usr/src/sys/compile/MYHOST i386 >Description: There exists a bug in the Makefile which if exploited by a malicious local user, any arbitrary file can be overwritten. Under the install label the first line reads echo $(HSFILE)|sed -e 's/\//\\\//g'>/tmp/hsn The redirection is used blindly and assumes that the file /tmp/hsn does not exist. If a malicious user was to create a symbolic link to any file on the system (ie: /etc/passwd), the file will be over written with the contents "\/usr\/local\/share\/xtrojka\/xtrojka.scores". Of course the user has to anticipate the installation by creating the link prior so it might be tricky to get installed, but could easily ask the administrator to install the package which will be as root and thus overwrite any system file. >How-To-Repeat: cd /usr/ports/games/xtrojka make make install note: I am mailing the author as well as security-officer@FreeBSD.org with the same information. >Fix: I added to the Makefile to remove the file /tmp/hsn prior to and after the installation. While this is a quick fix to get around the problem, there do exist more secure ways to deal with this. patches mailed to security-officer@FreeBSD.org >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message