In the ports system, some patch files use absolute paths. Run ls -d /usr/ports/*/*/files | xargs -IX grep -rnE '^([+][+][+]|---) /' X to see what I mean. For example, there is: /usr/ports/textproc/texi2html/files/patch-texi2html.pl:2:+++ /usr/local/bin/texi2html 2012-07-09 10:53:16.000000000 +0200 Some patch files refer to target files in the /tmp directory. Theoretically, this means that malicious regular users are able to fiddle with the patching process: by creating the target files in the /tmp directory, they are able to silently cause patches to apply to bogus files in the /tmp directory instead of the intended files in the port's work directory. In the extreme case, a malicious user could cause ports to be built without certain security patches. The user could also try a symlink attack. Some patch files refer to target files that "will be" installed, such as /usr/local/bin/texi2html. A patch in the textproc/texi2html port was the basis for me finding out about this issue: the port was already installed, and was being built to be reinstalled, and the patching process tried to modify the installed /usr/local/bin/texi2html file, but failed (the following files were created: /usr/local/bin/texi2html.orig and /usr/local/bin/texi2html.rej). However, theoretically, if the patching process succeeds on the already-installed files, then later, unpatched files will be reinstalled. Some patch files refer directly to target files in the /usr/ports directory, others to the /home directory. These are practically harmless. In all cases, absolute paths should be replaced with relative paths. At the time of this writing, the malicious user thing is just theory, while the texi2html is just an annoying build bug. It seems that this path issue doesn't warrant much noise.Received on Thu May 23 2013 - 04:50:24 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:37 UTC