Simon L. Nielsen discovered that portupgrade handles
temporary files in an insecure manner. This could allow an
unprivileged local attacker to execute arbitrary commands or
overwrite arbitrary files with the permissions of the user
running portupgrade, typically root, by way of a symlink
attack.
The following issues exist where the temporary files are
created, by default in the world writeable directory
/var/tmp, with the permissions of the user running
portupgrade:
- pkg_fetch download packages with a predictable local
filename allowing a local attacker to overwrite arbitrary
local files or potentially replace the downloaded package
after download but before install with a package with
malicious content, allowing the attacker to run arbitrary
commands.
- portupgrade will, when upgrading ports/packages, write
the old package to a predictable temporary file, allowing
an attacker to overwrite arbitrary files via a symlink
attack.
- portupgrade will
touch
a temporary file
with a constant filename (pkgdb.fixme) allowing an
attacker to create arbitrary zero-byte files via a symlink
attack.
A workaround for these issues is to set the
PKG_TMPDIR environment variable to a directory
only write-able by the user running portupgrade.