[sbopkg-users] Sbopkg 0.33.2 Released
slakmagik
slakmagik at gmail.com
Tue Jul 20 02:09:17 UTC 2010
sbopkg 0.33.2 is released. Unfortunately, it's not a very fun release.
Here's the change since the last release:
* fix security issue involving unsafe creation of temp{dir,file}
It takes an unlikely series of events but most exploits do. Without this
fix or a known secure SBOPKGTMP, it's possible for an attacker to
execute an arbitrary shell script as root.
* A user creates /tmp/sbopkg on a system where sbopkg has not yet been
installed or run.
* Root installs/runs sbopkg without noticing /tmp/sbopkg's ownership.
* The attacker detects root is running sbopkg.
* The attacker puts arbitrary code in /tmp/sbopkg/sbopkg_updates_tempfile
* Root runs the 'update' function and crosses ll. 744, 745 and 749 (of
0.33.1). The code is executed.
Unfortunately, sbopkg.org and googlecode aren't communicating well at
the moment - IIRC, sbopkg.org looks to trunk to update its data and this
is in a branch and I don't have access to sbopkg.org, so you'll need to
get it directly from googlecode:
http://code.google.com/p/sbopkg/
Alternatively, you can check googlecode for the diff of r836 and apply
it. Altalternatively, you can just make absolutely certain that
SBOPKGTMP is owned by root and contains nothing it shouldn't before
running sbopkg. Fixing this issue one way or another is strongly
recommended.
Meanwhile, there's a lot of fun stuff in trunk at the moment. A release
shouldn't be too far off but this issue caught us by surprise and it was
important to get this addressed quickly. Also, trunk features a much
more aggressive (though maybe not yet complete) fix for this issue, but
it's only received *very* cursory testing so anyone wanting to try it
out could help a lot.
More information about the sbopkg-users
mailing list