Bug 32172

pkg_add, when untarring a package prior to its installation, creates all
directories in this package with world-writable protection. Since some
packages are pretty big (eg. XFree86), the time during which these
directories are available is not negligeable and is most definitly
enough to hack some of the binaries getting installed.

Vital third-party programs such as httpd or xterm can be easily
overwritten by a third party.

Fix: I think I found out why it's doing this... When you use the -p switch in
tar invocations on packages, directories gets created as 777!!!

The problem is in file.c:



This might cause problems with special permissions on packages with suid
binaries, though. I'm not sure of what the effect of -p actually is, but
a quick test shows tar keeps suid permissions, even without it.

Anyone has an idea why -p was there in the first place???--LGdsFgdujD5zusDbN8ZExIX0x2z516RM66OJ6A8hRGJMEcXD
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

--- /usr/src/usr.sbin/pkg_install/lib/file.c      Thu Nov 15 16:35:52 2001
+++ /home/anarcat/file.c        Wed Nov 21 15:01:10 2001
@@ -465,7 +465,7 @@
     }
     else
        strcpy(args, "-z");
-    strcat(args, " -xpf");
+    strcat(args, " -xf");
     if (vsystem("tar %s '%s' %s", args, pkg, flist ? flist : "")) {
        warnx("tar extract of %s failed!", pkg);
        return 1;
How-To-Repeat: 
unsuspecting_admin# pkg_add XFree86
<wait>...

evil_attacker$ cd /var/tmp/inst*
evil_attacker$ cd bin
evil_attacker$ mv ~/my_hacked_xfree_server XFree86
evil_attacker$ <grin>