oss-sec mailing list archives
Re: nvi crash recovery
From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 3 Nov 2017 21:41:59 +0100
* Hanno Böck <hanno () hboeck de>, 2017-11-03, 21:26:
nvi saves recovery files to /var/tmp/vi.recover and creates them with 600 permissions.So all the problems discussed don't really apply here. However the dir itself gets created by the first user using nvi.
Sounds like a recipe for disaster.In Debian, installation scripts try to ensure that /var/tmp/vi.recover is root-owned:
if [[ -L /var/tmp/vi.recover || \
-e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
exit 1
fi
[ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
chown root:root /var/tmp/vi.recover
chmod 1777 /var/tmp/vi.recover
This is racy and can be exploited to chmod arbitrary files:
https://bugs.debian.org/771375
--
Jakub Wilk
Current thread:
- Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Jakub Wilk (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Ian Zimmerman (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 04)
- Re: nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Daniel Micay (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: Re: Security risk of server side text editing in general and vim.tiny specifically Christos Zoulas (Nov 03)
- AW: Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 06)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 13)
- AW: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 13)
- <Possible follow-ups>
- Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)