[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: GNU nano (minor)
From: Josh Bressers <bressers () redhat ! com>
Date: 2010-04-14 19:22:05
Message-ID: 734313713.843551271272925855.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
----- "Dan Rosenberg" <dan.j.rosenberg@gmail.com> wrote:
> Two issues were recently addressed upstream for GNU nano to provide
> better security when editing files owned by other untrusted users,
> especially when editing as root. I'm not sure if either of these
> issues require CVE identifiers due to the narrow circumstances in
> which they can be exploited, but I figured I'd leave that up to you.
>
> Changelog is at
> http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?root=nano&view=log,
> relevant entries at revisions 4490, 4491, 4493, and 4496.
>
> 1. When editing a file owned by another user, the owner of the file may
> replace the file mid-editing with a symbolic link, resulting in the
> editor overwriting the target of the symbolic link on saving with the
> privileges of the user doing the editing, without any warning to the
> editor. Since this could be considered akin to replacing a target being
> chown'd or chmod'd with a symbolic link and requires a very targeted
> attack, I would lean towards this not needing a CVE, but that's your
> call.
Since they fixed it, and it is a plausible attack, I'm assigning this
CVE-2010-1160
>
> 2. When backup files are enabled and root is editing a file by an
> untrusted user, that user may exploit race conditions in the creation of
> backup files to take ownership of arbitrary files. While the scenario
> for exploitation is somewhat unlikely (root editing untrusted files),
> this attack can be done reliably and without requiring precise timing, so
> this seems to be a good candidate for a CVE.
>
CVE-2010-1161
Thanks.
--
JB
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic