I wanted to add a new feature to the mirrorselect script, and stumbled to a security risc.
Created attachment 45372 [details, diff] mirrorselect fix Here is a small patch, containing the fix, and various enhancements: * SECURITY FIX: when using the "-b" switch, split is creating files in the temporary directory in an unsecure manner * SECURITY FIX: make the script exit if "mktemp" fails * new switch: "-TX" to allow the user to set the network timeout for wget * clean up temporary files/directories even if mirrorselect is interrupted by the user * fixed progress percentage with "-b" switch * the logic is rewritten how /etc/make.conf is updated: don't touch it until everything seems to be o.k.
Re-assigning to security. tools-portage, please verify.
thanks Ervin. 0.89 is in portage for your pleasure.
GLSA drafted. Security, please review.
GLSA 200412-05 Thanks Ervin! Keep up the good work.