Subject: CVS commit: pkgsrc/chat/silc-server
To: None <pkgsrc-changes@NetBSD.org>
From: Lubomir Sedlacik <salo@netbsd.org>
List: pkgsrc-changes
Date: 09/13/2005 22:02:24
Module Name:	pkgsrc
Committed By:	salo
Date:		Tue Sep 13 22:02:24 UTC 2005

Modified Files:
	pkgsrc/chat/silc-server: Makefile distinfo
Added Files:
	pkgsrc/chat/silc-server/patches: patch-ac

Log Message:
Security fix:

- fix insecure file creation in /tmp, patch from silc cvs

the impact of this issue is very low.  it allows an attacker to overwrite
arbitrary files owned by the user running silcd ("silcd", in pkgsrc) IFF
the owner of the process or root send SIGUSR1 signal to the process to dump
stats.  the only file owned by the "silcd" user is typically the log file
which resides in a directory inaccessible by anyone except the user itself
and root so the potential attacker would need to guess its name.

 http://www.zataz.net/adviso/silc-server-toolkit-06152005.txt

please note that the advisory also incorrectly states that silc-toolkit is
vulnerable too.  the code in question is never compiled in the toolkit so
it's not affected.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -r1.41 -r1.42 pkgsrc/chat/silc-server/Makefile
cvs rdiff -r1.28 -r1.29 pkgsrc/chat/silc-server/distinfo
cvs rdiff -r0 -r1.12 pkgsrc/chat/silc-server/patches/patch-ac

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.