oss-sec mailing list archives
vim $TMPDIR directory stat (was: [oss-security] Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution)
From: Nico Golde <oss-security+ml () ngolde de>
Date: Wed, 14 May 2008 17:38:12 +0200
Hi Tavis, * Tavis Ormandy <taviso () sdf lonestar org> [2008-05-14 17:03]:
On Wed, May 14, 2008 at 04:03:34PM +0200, Sven Joachim wrote:On 2008-05-14 15:27 +0200, Nico Golde wrote:As I am a vim user I might have done something wrong too, not sure. What I did after installing emacs:Same here, so out of curiosity i ran strace -efile -o log vim, and edited a few files. I observed vim looking for a directory called $TMPDIR in the wd, and using it as you would expect. Obviously a bug, and perhaps some minor security implications, anyone want to investigate? :-)
The reason is:
src/unix.h:
# define TEMPDIRNAMES "$TMPDIR", "/tmp", ".", "$HOME"
on startup vim then expands those paths and checks if the
directory exists (that's where the stat comes from I think).
If it exists it will use it as temporary directory to mkdir
the temporary directory for vim files, v<somenumber>.
src/fileio.c:
6811 for (i = 0; i < sizeof(tempdirs) / sizeof(char *); ++i)
6812 {
6813 /* expand $TMP, leave room for "/v1100000/999999999" */
6814 expand_env((char_u *)tempdirs[i], itmp, TEMPNAMELEN - 20);
6815 printf("expanded %s to %s\n", tempdirs[i], itmp);
6816 if (mch_isdir(itmp)) /* directory exists */
....
6843 sprintf((char *)itmp + STRLEN(itmp), "v%ld", nr + off);
6844 # ifndef EEXIST
6845 /* If mkdir() does not set errno to EEXIST, check for
6846 * existing file here. There is a race condition then,
6847 * although it's fail-safe. */
6848 if (mch_stat((char *)itmp, &st) >= 0)
6849 continue;
6850 # endif
6851 #if defined(UNIX) || defined(VMS)
6852 /* Make sure the umask doesn't remove the executable bit.
6853 * "repl" has been reported to use "177". */
6854 umask_save = umask(077);
6855 #endif
6856 r = vim_mkdir(itmp, 0700);
So it checks for $TMPDIR on your system because this
environment variable is not set and therefore can't be expanded?!
You could redirect the temporary files of a user to a
location the attacker and the victim has access to but vim
still sets the correct permissions so this does not help the
attacker. After a quick check this doesn't look like a
security issue to me.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Robert Buchholz (May 10)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 12)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Robert Buchholz (May 12)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 12)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Robert Buchholz (May 13)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 14)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Sven Joachim (May 14)
- Re: Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 14)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Sven Joachim (May 14)
- Re: Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Tavis Ormandy (May 14)
- vim $TMPDIR directory stat (was: [oss-security] Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution) Nico Golde (May 14)
- Re: Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Gustavo De Nardin (spuk) (May 14)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Robert Buchholz (May 12)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 12)