Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Nov 2017 21:41:59 +0100
From: Jakub Wilk <>
Subject: Re: nvi crash recovery

* Hanno Böck <>, 2017-11-03, 21:26:
>nvi saves recovery files to /var/tmp/vi.recover and creates them with 
>600 permissions.
>So all the problems discussed don't really apply here.
>However the dir itself gets created by the first user using nvi.

Sounds like a recipe for disaster.

In Debian, installation scripts try to ensure that /var/tmp/vi.recover 
is root-owned:

   if [[ -L /var/tmp/vi.recover || \
	  -e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
     echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
     exit 1
   [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
   chown root:root /var/tmp/vi.recover
   chmod 1777 /var/tmp/vi.recover

This is racy and can be exploited to chmod arbitrary files:

Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.