I wanted to add a new feature to the mirrorselect script, and stumbled to a security risc.
Created attachment 45372 [details, diff]
Here is a small patch, containing the fix, and various enhancements:
* SECURITY FIX: when using the "-b" switch, split is creating files in the
temporary directory in an unsecure manner
* SECURITY FIX: make the script exit if "mktemp" fails
* new switch: "-TX" to allow the user to set the network timeout for wget
* clean up temporary files/directories even if mirrorselect is interrupted by
* fixed progress percentage with "-b" switch
* the logic is rewritten how /etc/make.conf is updated: don't touch it until
everything seems to be o.k.
Re-assigning to security.
tools-portage, please verify.
0.89 is in portage for your pleasure.
Security, please review.
Thanks Ervin! Keep up the good work.