FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

portupgrade -- insecure temporary file handling vulnerability

Affected packages
portupgrade < 20041226_2

Details

VuXML ID 22f00553-a09d-11d9-a788-0001020eed82
Discovery 2005-04-12
Entry 2005-04-12

Simon L. Nielsen discovered that portupgrade handles temporary files in an insecure manner. This could allow an unprivileged local attacker to execute arbitrary commands or overwrite arbitrary files with the permissions of the user running portupgrade, typically root, by way of a symlink attack.

The following issues exist where the temporary files are created, by default in the world writeable directory /var/tmp, with the permissions of the user running portupgrade:

A workaround for these issues is to set the PKG_TMPDIR environment variable to a directory only write-able by the user running portupgrade.

References

CVE Name CVE-2005-0610