Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#43518 - [busybox] the file "/tmp/busybox.upgrade.script" -- maybe this be secure problem?
Attached to Project:
Community Packages
Opened by Andrei Antonov (pl_m) - Tuesday, 20 January 2015, 09:42 GMT
Last edited by Sergej Pupykin (sergej) - Monday, 02 March 2015, 17:17 GMT
Opened by Andrei Antonov (pl_m) - Tuesday, 20 January 2015, 09:42 GMT
Last edited by Sergej Pupykin (sergej) - Monday, 02 March 2015, 17:17 GMT
|
Detailsgood day!
in this package (busybox-1.22.1-3-x86_64.pkg.tar.xz) there is the file ".INSTALL" with code fragment: [code] pre_upgrade() { busybox stat -c %a usr/bin/busybox >tmp/busybox.upgrade.script } [/code] if malefactor-user (without root-privileges permisions in operation system) -- will create symbolic-link "/tmp/busybox.upgrade.script" to something (target) system file in operation system... ...that this target (something) system file may be corrupted by next upgrade of operation system by pacman? advance thanks for answer and for fix! (and sorry for my bad english) |
This task depends upon
[code]
pre_upgrade() {
mkdir tmp/busybox.upgrade || exit 1
busybox stat -c %a usr/bin/busybox >tmp/busybox.upgrade/busybox.upgrade.script
}
[/code]
???
(and some fixes in post_upgrade()..)
but in package "busybox-1.22.1-4" in function "post_upgrade()" -- still used "tmp/busybox.upgrade.script" :-)
[ -f tmp/busybox.upgrade.script ] && busybox chmod `busybox cat tmp/busybox.upgrade.script` usr/bin/busybox
but i think we need:
[ -f tmp/busybox.upgrade/busybox.upgrade.script ] && busybox chmod `busybox cat tmp/busybox.upgrade/busybox.upgrade.script` usr/bin/busybox
and again -- sorry for your time