Bug#771375: nvi: insecure use of /var/tmp
Package: nvi
Version: 1.81.6-11
Tags: security
nvi does this in postinst:
if [[ -L /var/tmp/vi.recover || \
-e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
exit 1
fi
[ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
chown root:root /var/tmp/vi.recover
chmod 1777 /var/tmp/vi.recover
This is racy.
If there is no symlink protection enabled
(/proc/sys/fs/protected_symlinks), malicious local user could trick this
code into chmodding arbitrary files.
--
Jakub Wilk
Reply to: