[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] vim $TMPDIR directory stat (was: [oss-security] Re: CVE request: Emacs 21 fast-lock-m
From: Nico Golde <oss-security+ml () ngolde ! de>
Date: 2008-05-14 15:38:12
Message-ID: 20080514153812.GI28202 () ngolde ! de
[Download RAW message or body]
Hi Tavis,
* Tavis Ormandy <taviso@sdf.lonestar.org> [2008-05-14 17:03]:
> On Wed, May 14, 2008 at 04:03:34PM +0200, Sven Joachim wrote:
> > On 2008-05-14 15:27 +0200, Nico Golde wrote:
> >
> > > As I am a vim user I might have done something wrong too,
> > > not sure. What I did after installing emacs:
>
> Same here, so out of curiosity i ran strace -efile -o log vim, and
> edited a few files. I observed vim looking for a directory called
> $TMPDIR in the wd, and using it as you would expect. Obviously a bug,
> and perhaps some minor security implications, anyone want to
> investigate? :-)
The reason is:
src/unix.h:
# define TEMPDIRNAMES "$TMPDIR", "/tmp", ".", "$HOME"
on startup vim then expands those paths and checks if the
directory exists (that's where the stat comes from I think).
If it exists it will use it as temporary directory to mkdir
the temporary directory for vim files, v<somenumber>.
src/fileio.c:
6811 for (i = 0; i < sizeof(tempdirs) / sizeof(char *); ++i)
6812 {
6813 /* expand $TMP, leave room for "/v1100000/999999999" */
6814 expand_env((char_u *)tempdirs[i], itmp, TEMPNAMELEN - 20);
6815 printf("expanded %s to %s\n", tempdirs[i], itmp);
6816 if (mch_isdir(itmp)) /* directory exists */
....
6843 sprintf((char *)itmp + STRLEN(itmp), "v%ld", nr + off);
6844 # ifndef EEXIST
6845 /* If mkdir() does not set errno to EEXIST, check for
6846 * existing file here. There is a race condition then,
6847 * although it's fail-safe. */
6848 if (mch_stat((char *)itmp, &st) >= 0)
6849 continue;
6850 # endif
6851 #if defined(UNIX) || defined(VMS)
6852 /* Make sure the umask doesn't remove the executable bit.
6853 * "repl" has been reported to use "177". */
6854 umask_save = umask(077);
6855 #endif
6856 r = vim_mkdir(itmp, 0700);
So it checks for $TMPDIR on your system because this
environment variable is not set and therefore can't be expanded?!
You could redirect the temporary files of a user to a
location the attacker and the victim has access to but vim
still sets the correct permissions so this does not help the
attacker. After a quick check this doesn't look like a
security issue to me.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic