Bug#771375: nvi: insecure use of /var/tmp

Jakub Wilk Fri, 28 Nov 2014 14:21:39 -0800

Package: nvi
Version: 1.81.6-11
Tags: security

nvi does this in postinst:


   if [[ -L /var/tmp/vi.recover || \
          -e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
     echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
     exit 1
   fi
   [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
   chown root:root /var/tmp/vi.recover
   chmod 1777 /var/tmp/vi.recover

This is racy.

If there is no symlink protection enabled(/proc/sys/fs/protected_symlinks), malicious local user could trick thiscode into chmodding arbitrary files.


--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#771375: nvi: insecure use of /var/tmp

Reply via email to