There exists a bug in the Makefile which if exploited by a malicious local user, any arbitrary file can be overwritten. Under the install label the first line reads echo $(HSFILE)|sed -e 's/\//\\\//g'>/tmp/hsn The redirection is used blindly and assumes that the file /tmp/hsn does not exist. If a malicious user was to create a symbolic link to any file on the system (ie: /etc/passwd), the file will be over written with the contents "\/usr\/local\/share\/xtrojka\/xtrojka.scores". Of course the user has to anticipate the installation by creating the link prior so it might be tricky to get installed, but could easily ask the administrator to install the package which will be as root and thus overwrite any system file. Fix: I added to the Makefile to remove the file /tmp/hsn prior to and after the installation. While this is a quick fix to get around the problem, there do exist more secure ways to deal with this. patches mailed to security-officer@FreeBSD.org How-To-Repeat: cd /usr/ports/games/xtrojka make make install note: I am mailing the author as well as security-officer@FreeBSD.org with the same information.
State Changed From-To: open->closed Close this PR. I just committed the fix in ports/19864. Thanks!