[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171103204159.rnszmrzvcwkxkaak@jwilk.net>
Date: Fri, 3 Nov 2017 21:41:59 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: nvi crash recovery
* Hanno Böck <hanno@...eck.de>, 2017-11-03, 21:26:
>nvi saves recovery files to /var/tmp/vi.recover and creates them with
>600 permissions.
>So all the problems discussed don't really apply here.
>However the dir itself gets created by the first user using nvi.
Sounds like a recipe for disaster.
In Debian, installation scripts try to ensure that /var/tmp/vi.recover
is root-owned:
if [[ -L /var/tmp/vi.recover || \
-e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
exit 1
fi
[ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
chown root:root /var/tmp/vi.recover
chmod 1777 /var/tmp/vi.recover
This is racy and can be exploited to chmod arbitrary files:
https://bugs.debian.org/771375
--
Jakub Wilk
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
