2002-Oct-02
I moved all the files under my DESTDIR and tried to rebuild with the build.sh -u switch, but it failed.A complete build again took 80 minutes.
After updating one libkvm file (to make binary update), the update only took less than eight minutes: "time ./build.sh -u -U -D /home/src/netbsd-1.6".
Learning more about pax's mtree capability. It must have each directory defined ahead of time, or you'll get a "No such file or directory" error. For example:
reed@www:/home/src/netbsd-1.6$ pax -w -z -M > ~/files.tar.gz . type=dir optional ./usr type=dir optional ./usr/lib type=dir optional ./usr/lib/libkvm.a type=file mode=0444 uname=root gname=wheel time=1033580422.50000 reed@www:/home/src/netbsd-1.6$ tar tvzf ~/files.tar.gz -r--r--r-- root/wheel 24376 Oct 2 10:40 2002 ./usr/lib/libkvm.aAlso, if you don't use "optional" then it will create those directories in the tar file too.
sendmail's smrsh has security hole:
reed@www:~/binary-update$ echo "echo unauthorized execute" > /tmp/unauth reed@www:~/binary-update$ /usr/libexec/smrsh -c ". || . /tmp/unauth || ." /usr/libexec/sm.bin/.: permission denied unauthorized executeAfter patch (partially based on http://www.sendmail.org/patches/smrsh-20020924.patch):
reed@www:~/binary-update$ ~src/netbsd-1.6/usr/libexec/smrsh -c ". || . /tmp/unauth || ." /home/src/netbsd-1.6/usr/libexec/smrsh: . not available for sendmail programs (not a file)It also has another vulnerability:
$ /usr/libexec/smrsh -c "././ /bin/hostname" www.kibservices.netBut fixed too:
$ /usr/libexec/smrsh -c "././ /bin/hostname" /usr/libexec/smrsh: not available for sendmail programs (not a file)
My send-pr for smrsh is: security/18516. (Next day, this was done for 1.5 and 1.6, but not pkgsrc yet. Closed later on.)