Package: nvi Version: 1.79-25 Severity: grave Tags: security patch Hi everyone,
Going through the list of packages listed at [1] I noticed the overrides are
completely wrong and it *is* a security issue. I verified versions 1.79-25
and 1.81.6-3 (etch and lenny, respectively) of the package and are both
affected.
An attacker could create /var/tmp/vi.recover as a symlink pointing to some
directory (e.g. /) and abuse the code in the postinst script to make it
a+wxr.
The code portion follows:
if [ $1 = "configure" ] ; then
[ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
chown root:root /var/tmp/vi.recover
chmod 1777 /var/tmp/vi.recover
fi
The main mistake is to ignore any possible failure of mkdir to create the
directory (probably because it already exists, and might not be a directory).
Attached is a simple patch that aborts the execution of the postinst if mkdir
fails, of course a better way to do it would be to use 'set -e' and review
the usage of /var/tmp/vi.recover.
[1]http://lintian.debian.org/tags/possibly-insecure-handling-of-tmp-files-in-maintainer-script.html
Kind regards,
--
Atomo64 - Raphael
Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
diff -urN nvi-1.81.6.orig/debian/postinst nvi-1.81.6/debian/postinst
--- nvi-1.81.6.orig/debian/postinst 2008-08-24 17:10:47.000000000 -0500
+++ nvi-1.81.6/debian/postinst 2008-08-24 17:14:39.000000000 -0500
@@ -11,7 +11,7 @@
--slave /usr/share/man/man1/editor.1.gz editor.1.gz /usr/share/man/man1/nvi.1.gz
if [ $1 = "configure" ] ; then
- [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
+ [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover || exit $?
chown root:root /var/tmp/vi.recover
chmod 1777 /var/tmp/vi.recover
fi
signature.asc
Description: This is a digitally signed message part.
