Re: CVE request: GNU nano (minor)

[Josh Bressers <bressers () redhat com>]

----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:

> Two issues were recently addressed upstream for GNU nano to provide
> better security when editing files owned by other untrusted users,
> especially when editing as root.  I'm not sure if either of these
> issues require CVE identifiers due to the narrow circumstances in
> which they can be exploited, but I figured I'd leave that up to you.
>
> Changelog is at
> http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?root=nano&view=log,
> relevant entries at revisions 4490, 4491, 4493, and 4496.
>
> 1.  When editing a file owned by another user, the owner of the file may
> replace the file mid-editing with a symbolic link, resulting in the
> editor overwriting the target of the symbolic link on saving with the
> privileges of the user doing the editing, without any warning to the
> editor.  Since this could be considered akin to replacing a target being
> chown'd or chmod'd with a symbolic link and requires a very targeted
> attack, I would lean towards this not needing a CVE, but that's your
> call.

Since they fixed it, and it is a plausible attack, I'm assigning this
CVE-2010-1160

> 2.  When backup files are enabled and root is editing a file by an
> untrusted user, that user may exploit race conditions in the creation of
> backup files to take ownership of arbitrary files.  While the scenario
> for exploitation is somewhat unlikely (root editing untrusted files),
> this attack can be done reliably and without requiring precise timing, so
> this seems to be a good candidate for a CVE.

CVE-2010-1161

Thanks.

-- 
    JB