oss-sec mailing list archives
Re: CVE request: GNU nano (minor)
From: Josh Bressers <bressers () redhat com>
Date: Wed, 14 Apr 2010 15:22:05 -0400 (EDT)
----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:
Two issues were recently addressed upstream for GNU nano to provide better security when editing files owned by other untrusted users, especially when editing as root. I'm not sure if either of these issues require CVE identifiers due to the narrow circumstances in which they can be exploited, but I figured I'd leave that up to you. Changelog is at http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?root=nano&view=log, relevant entries at revisions 4490, 4491, 4493, and 4496. 1. When editing a file owned by another user, the owner of the file may replace the file mid-editing with a symbolic link, resulting in the editor overwriting the target of the symbolic link on saving with the privileges of the user doing the editing, without any warning to the editor. Since this could be considered akin to replacing a target being chown'd or chmod'd with a symbolic link and requires a very targeted attack, I would lean towards this not needing a CVE, but that's your call.
Since they fixed it, and it is a plausible attack, I'm assigning this CVE-2010-1160
2. When backup files are enabled and root is editing a file by an untrusted user, that user may exploit race conditions in the creation of backup files to take ownership of arbitrary files. While the scenario for exploitation is somewhat unlikely (root editing untrusted files), this attack can be done reliably and without requiring precise timing, so this seems to be a good candidate for a CVE.
CVE-2010-1161 Thanks. -- JB
Current thread:
- CVE request: GNU nano (minor) Dan Rosenberg (Apr 14)
- Re: CVE request: GNU nano (minor) Josh Bressers (Apr 14)