From arkadi@hosting.lv  Fri Dec 20 04:22:21 2002
Return-Path: <arkadi@hosting.lv>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5BBCD37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 20 Dec 2002 04:22:21 -0800 (PST)
Received: from idea.hosting.lv (idea.hosting.lv [62.85.37.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6F56D43EDC
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 20 Dec 2002 04:22:20 -0800 (PST)
	(envelope-from arkadi@hosting.lv)
Received: from arkadi by idea.hosting.lv with local 
	id 18PMAZ-000Nyq-00
	for FreeBSD-gnats-submit@freebsd.org; Fri, 20 Dec 2002 14:22:23 +0200
Message-Id: <E18PMAZ-000Nyq-00@idea.hosting.lv>
Date: Fri, 20 Dec 2002 14:22:23 +0200
From: Arkadi Shishlov <arkadi@hosting.lv>
Reply-To: Arkadi Shishlov <arkadi@hosting.lv>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: lib
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         46399
>Category:       ports
>Synopsis:       libdvxencore permissions
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 20 04:30:01 PST 2002
>Closed-Date:    Thu Oct 09 05:05:15 PDT 2003
>Last-Modified:  Thu Oct 09 05:05:15 PDT 2003
>Originator:     Arkadi Shishlov
>Release:        FreeBSD 4.6.2-RELEASE i386
>Organization:
>Environment:
System: FreeBSD idea.hosting.lv 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #0: Mon Aug 19 20:10:07 EEST 2002 root@idea.hosting.lv:/usr/src/sys/compile/idea i386

>Description:
libdivxencore port builds from world-writable source files in world-writable
directories. ports collection is fresh, updated a minute ago. RELENG_4 tag.

>How-To-Repeat:
idea(p1)root:/usr/ports/multimedia/libdivxencore> make patch
===>  Extracting for libdivxencore-devel-0.4.0.50
>Fix:
>Release-Note:
>Audit-Trail:

From: Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
To: Arkadi Shishlov <arkadi@hosting.lv>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: ports/46399: lib
Date: Fri, 20 Dec 2002 12:53:53 -0200

 Hi,
 
 On Fri, Dec 20, 2002 at 02:22:01PM +0200, Arkadi Shishlov wrote:
 >
 > >Description:
 > libdivxencore port builds from world-writable source files in world-writable
 > directories. ports collection is fresh, updated a minute ago. RELENG_4 tag.
 
 	Is that an issue? The permissions of the installed library
 related files are always correct.
 
 	The permissions of the source files are not much of a problem.
 Could you elaborate on the possible problem? Just wondering
 what is the issue here. Don't worry. :)
 
 -- 
 Mario S F Ferreira - DF - Brazil - "I guess this is a signature."
 Computer Science Undergraduate | FreeBSD Committer | CS Developer
 flames to beloved devnull@someotherworldbeloworabove.org
 feature, n: a documented bug | bug, n: an undocumented feature

From: Arkadi Shishlov <arkadi@hosting.lv>
To: Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: ports/46399: lib
Date: Fri, 20 Dec 2002 18:36:52 +0200

 On Fri, Dec 20, 2002 at 12:53:53PM -0200, Mario Sergio Fujikawa Ferreira wrote:
 > Could you elaborate on the possible problem? Just wondering
 
 First of all attacker can override sources/whatever while we are building
 application. Also, sometimes I prefer to keep work/ directory and build
 a port once more time (rm work/.build_done; make) due to private patches/etc.
 
 Sorry for dummy Synopsys.
 
 
 arkadi.

From: Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
To: Arkadi Shishlov <arkadi@hosting.lv>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/46399: libdivxencore distfile has world writable files inside it
Date: Fri, 20 Dec 2002 15:08:37 -0200

 On Fri, Dec 20, 2002 at 06:36:30PM +0200, Arkadi Shishlov wrote:
 > On Fri, Dec 20, 2002 at 12:53:53PM -0200, Mario Sergio Fujikawa Ferreira wrote:
 > > Could you elaborate on the possible problem? Just wondering
 > 
 > First of all attacker can override sources/whatever while we are building
 > application. Also, sometimes I prefer to keep work/ directory and build
 > a port once more time (rm work/.build_done; make) due to private patches/etc.
 
 	Okay, the most appropriate fix to this attack would be
 setting a restrictive umask for your shell. That might be the reason
 I never saw this problem because my umask forbids write permissions
 to world.
 
 	Besides, the best I would be able to do in this case, would
 be adding a 'chmod a-w,u+w ${WRKDIR}' as a post-extract target so
 there would be always a window of opportunity for such an attack.
 However, unlikely.
 
 	I can still add such a patch but umask should be your
 better friend. :) This is correct fix for all these issues, we
 cannot quite control how developers will package their distribution
 files. So you could have this problem with hundreds/thousands other
 ports.
 
 	From sh(1) man page
 
 	umask [mask]
 		Set the file creation mask (see umask(2)) to the octal value
 		specified by mask.  If the argument is omitted, the current mask
 		value is printed.
 
 	From umask(2) man page
 
 	DESCRIPTION
 	The umask() routine sets the process's file mode creation mask to numask
 	and returns the previous value of the mask.  The 9 low-order access per-
 	mission bits of numask are used by system calls, including open(2),
 	mkdir(2), and mkfifo(2), to turn off corresponding bits requested in file
 	mode.  (See chmod(2)).  This clearing allows each user to restrict the
 	default access to his files.
 
 	The default mask value is S_IWGRP|S_IWOTH (022, write access for the
 	owner only).  Child processes inherit the mask of the calling process.
 
 	I use umask 077 which does not allow any group or world
 permissions.
  
 > Sorry for dummy Synopsys.
 
 	Don't worry. :) You've just clarified it.
 
 -- 
 Mario S F Ferreira - DF - Brazil - "I guess this is a signature."
 Computer Science Undergraduate | FreeBSD Committer | CS Developer
 flames to beloved devnull@someotherworldbeloworabove.org
 feature, n: a documented bug | bug, n: an undocumented feature

From: Arkadi Shishlov <arkadi@hosting.lv>
To: Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/46399: libdivxencore distfile has world writable files inside it
Date: Fri, 20 Dec 2002 20:58:23 +0200

 On Fri, Dec 20, 2002 at 03:08:37PM -0200, Mario Sergio Fujikawa Ferreira wrote:
 > 	Okay, the most appropriate fix to this attack would be
 > setting a restrictive umask for your shell. That might be the reason
 
 If you are care to test, just do it. My umask is 022.
 
 > be adding a 'chmod a-w,u+w ${WRKDIR}' as a post-extract target so
 > there would be always a window of opportunity for such an attack.
 > However, unlikely.
 
 Unlikely, but who cares about /tmp race conditions, that are also 'unlikely'..
 Of course the exploitation of this possible race condition is not directly
 controlled by user, but leaving o+w files in /usr/ports is not a sane 
 behaviour IMO.
 
 At least you can fix libdivxencore. For now, I'm setting o-rx on my ports/.
 
 > 	I can still add such a patch but umask should be your
 > better friend. :) This is correct fix for all these issues, we
 > cannot quite control how developers will package their distribution
 > files. So you could have this problem with hundreds/thousands other
 
 It is a question of trust, I trust RedHat not to put o+w files in .rpm.
 I also want to trust FreeBSD ports not to do silly things just because
 'we can't control it'. Developer are better to check source packages when
 submitting new builds. Gentoo Linux, for example, sometimes repackage
 original sources and almost always provide it from world-wide Gentoo
 servers network.
 
 >> Sorry for dummy Synopsys.
 >        Don't worry. :) You've just clarified it.
 
 Is there any way to change PR info fields after PR is submited?
 I can't find any information on FreeBSD site.
 
 
 arkadi, just wondering what sometimes you can find on some systems with
 find / -perm.
State-Changed-From-To: open->closed 
State-Changed-By: edwin 
State-Changed-When: Thu Oct 9 05:03:24 PDT 2003 
State-Changed-Why:  
Louix@ exchanged some thoughts about the issue. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46399 
>Unformatted:
 >> Checksum OK for encore50src.zip.
 ===>   libdivxencore-devel-0.4.0.50 depends on executable: unzip - found
 ===>  Patching for libdivxencore-devel-0.4.0.50
 idea(p1)root:/usr/ports/multimedia/libdivxencore> find . -perm +go+w -a -type d
 ./work/encore/cvs
 ./work/encore/build
 ./work/encore/build/cvs
 ./work/encore/build/win32
 ./work/encore/build/win32/cvs
 ./work/encore/src
 ./work/encore/src/cvs
 ./work/encore/src/intel_mmx
 ./work/encore/src/intel_mmx/cvs
