Bug#771375: nvi: insecure use of /var/tmp

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#771375: nvi: insecure use of /var/tmp
From: Jakub Wilk <jwilk@debian.org>
Date: Fri, 28 Nov 2014 23:19:07 +0100
Message-id: <[🔎] 20141128221907.GA8466@jwilk.net>
Reply-to: Jakub Wilk <jwilk@debian.org>, 771375@bugs.debian.org

Package: nvi
Version: 1.81.6-11
Tags: security

nvi does this in postinst:

   if [[ -L /var/tmp/vi.recover || \
	  -e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
     echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
     exit 1
   fi
   [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
   chown root:root /var/tmp/vi.recover
   chmod 1777 /var/tmp/vi.recover

This is racy.

If there is no symlink protection enabled(/proc/sys/fs/protected_symlinks), malicious local user could trick thiscode into chmodding arbitrary files.


--
Jakub Wilk

Reply to:

Prev by Date: Processed: Re: xenwatch: ITA
Next by Date: Bug#562907: missing dependency on pybluez
Previous by thread: Processed: Re: xenwatch: ITA
Next by thread: Bug#562907: missing dependency on pybluez
Index(es):
- Date
- Thread