CVE-2005-0610

Name of the Vulnerable Software and Affected Versions portupgrade versions prior to 20041226 2

Description The issue allows local users to overwrite arbitrary files, possibly replacing packages to execute arbitrary code via pkg fetch, or create arbitrary zero-byte files via the pkgdb.fixme temporary file. Additionally, it enables overwriting arbitrary files via temporary files when portupgrade upgrades a port or package.

Recommendations For versions prior to 20041226 2, update to version 20041226 2 or later to resolve the issue. As a temporary workaround, consider restricting access to the pkg fetch function and limiting the creation of temporary files during port or package upgrades. Avoid using the pkgdb.fixme temporary file until the issue is resolved.