oss-sec mailing list archives
vim $TMPDIR directory stat (was: [oss-security] Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution)
From: Nico Golde <oss-security+ml () ngolde de>
Date: Wed, 14 May 2008 17:38:12 +0200
Hi Tavis, * Tavis Ormandy <taviso () sdf lonestar org> [2008-05-14 17:03]:
On Wed, May 14, 2008 at 04:03:34PM +0200, Sven Joachim wrote:On 2008-05-14 15:27 +0200, Nico Golde wrote:As I am a vim user I might have done something wrong too, not sure. What I did after installing emacs:Same here, so out of curiosity i ran strace -efile -o log vim, and edited a few files. I observed vim looking for a directory called $TMPDIR in the wd, and using it as you would expect. Obviously a bug, and perhaps some minor security implications, anyone want to investigate? :-)
The reason is: src/unix.h: # define TEMPDIRNAMES "$TMPDIR", "/tmp", ".", "$HOME" on startup vim then expands those paths and checks if the directory exists (that's where the stat comes from I think). If it exists it will use it as temporary directory to mkdir the temporary directory for vim files, v<somenumber>. src/fileio.c: 6811 for (i = 0; i < sizeof(tempdirs) / sizeof(char *); ++i) 6812 { 6813 /* expand $TMP, leave room for "/v1100000/999999999" */ 6814 expand_env((char_u *)tempdirs[i], itmp, TEMPNAMELEN - 20); 6815 printf("expanded %s to %s\n", tempdirs[i], itmp); 6816 if (mch_isdir(itmp)) /* directory exists */ .... 6843 sprintf((char *)itmp + STRLEN(itmp), "v%ld", nr + off); 6844 # ifndef EEXIST 6845 /* If mkdir() does not set errno to EEXIST, check for 6846 * existing file here. There is a race condition then, 6847 * although it's fail-safe. */ 6848 if (mch_stat((char *)itmp, &st) >= 0) 6849 continue; 6850 # endif 6851 #if defined(UNIX) || defined(VMS) 6852 /* Make sure the umask doesn't remove the executable bit. 6853 * "repl" has been reported to use "177". */ 6854 umask_save = umask(077); 6855 #endif 6856 r = vim_mkdir(itmp, 0700); So it checks for $TMPDIR on your system because this environment variable is not set and therefore can't be expanded?! You could redirect the temporary files of a user to a location the attacker and the victim has access to but vim still sets the correct permissions so this does not help the attacker. After a quick check this doesn't look like a security issue to me. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Robert Buchholz (May 10)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 12)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Robert Buchholz (May 12)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 12)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Robert Buchholz (May 13)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 14)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Sven Joachim (May 14)
- Re: Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 14)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Sven Joachim (May 14)
- Re: Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Tavis Ormandy (May 14)
- vim $TMPDIR directory stat (was: [oss-security] Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution) Nico Golde (May 14)
- Re: Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Gustavo De Nardin (spuk) (May 14)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Robert Buchholz (May 12)
- Re: CVE request: Emacs 21 fast-lock-mode arbitrary lips code execution Nico Golde (May 12)