'[oss-security] vim $TMPDIR directory stat (was: [oss-security] Re: CVE request: Emacs 21 fast-lock-m'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] vim $TMPDIR directory stat (was: [oss-security] Re: CVE request: Emacs 21 fast-lock-m
From:       Nico Golde <oss-security+ml () ngolde ! de>
Date:       2008-05-14 15:38:12
Message-ID: 20080514153812.GI28202 () ngolde ! de
[Download RAW message or body]


Hi Tavis,
* Tavis Ormandy <taviso@sdf.lonestar.org> [2008-05-14 17:03]:
> On Wed, May 14, 2008 at 04:03:34PM +0200, Sven Joachim wrote:
> > On 2008-05-14 15:27 +0200, Nico Golde wrote:
> > 
> > > As I am a vim user I might have done something wrong too, 
> > > not sure. What I did after installing emacs:
> 
> Same here, so out of curiosity i ran strace -efile -o log vim, and
> edited a few files. I observed vim looking for a directory called
> $TMPDIR in the wd, and using it as you would expect. Obviously a bug,
> and perhaps some minor security implications, anyone want to
> investigate? :-)

The reason is:
src/unix.h:
#  define TEMPDIRNAMES  "$TMPDIR", "/tmp", ".", "$HOME"

on startup vim then expands those paths and checks if the 
directory exists (that's where the stat comes from I think). 
If it exists it will use it as temporary directory to mkdir 
the temporary directory for vim files, v<somenumber>.

src/fileio.c:
   6811         for (i = 0; i < sizeof(tempdirs) / sizeof(char *); ++i)
   6812         {
   6813             /* expand $TMP, leave room for "/v1100000/999999999" */
   6814             expand_env((char_u *)tempdirs[i], itmp, TEMPNAMELEN - 20);
   6815             printf("expanded %s to %s\n", tempdirs[i], itmp);
   6816             if (mch_isdir(itmp))                /* directory exists */
   ....
   6843                     sprintf((char *)itmp + STRLEN(itmp), "v%ld", nr + off);
   6844 # ifndef EEXIST
   6845                     /* If mkdir() does not set errno to EEXIST, check for
   6846                      * existing file here.  There is a race condition then,
   6847                      * although it's fail-safe. */
   6848                     if (mch_stat((char *)itmp, &st) >= 0)
   6849                         continue;
   6850 # endif
   6851 #if defined(UNIX) || defined(VMS)
   6852                     /* Make sure the umask doesn't remove the executable bit.
   6853                      * "repl" has been reported to use "177". */
   6854                     umask_save = umask(077);
   6855 #endif
   6856                     r = vim_mkdir(itmp, 0700);


So it checks for $TMPDIR on your system because this 
environment variable is not set and therefore can't be expanded?!

You could redirect the temporary files of a user to a 
location the attacker and the victim has access to but vim 
still sets the correct permissions so this does not help the 
attacker. After a quick check this doesn't look like a 
security issue to me.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic