Bug#771375: nvi: insecure use of /var/tmp

Fri, 28 Nov 2014 14:30:26 -0800 

Package: nvi
Version: 1.81.6-11
Tags: security

nvi does this in postinst:

   if [[ -L /var/tmp/vi.recover || \
          -e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
     echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
     exit 1
   fi
   [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
   chown root:root /var/tmp/vi.recover
   chmod 1777 /var/tmp/vi.recover

This is racy.
If there is no symlink protection enabled (/proc/sys/fs/protected_symlinks), malicious local user could trick this code into chmodding arbitrary files. 

--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141128221907.ga8...@jwilk.net

Reply via email to