'Re: [oss-security] CVE request: GNU nano (minor)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: GNU nano (minor)
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-04-14 19:22:05
Message-ID: 734313713.843551271272925855.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

----- "Dan Rosenberg" <dan.j.rosenberg@gmail.com> wrote:

> Two issues were recently addressed upstream for GNU nano to provide
> better security when editing files owned by other untrusted users,
> especially when editing as root.  I'm not sure if either of these
> issues require CVE identifiers due to the narrow circumstances in
> which they can be exploited, but I figured I'd leave that up to you.
> 
> Changelog is at
> http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?root=nano&view=log,
> relevant entries at revisions 4490, 4491, 4493, and 4496.
> 
> 1.  When editing a file owned by another user, the owner of the file may
> replace the file mid-editing with a symbolic link, resulting in the
> editor overwriting the target of the symbolic link on saving with the
> privileges of the user doing the editing, without any warning to the
> editor.  Since this could be considered akin to replacing a target being
> chown'd or chmod'd with a symbolic link and requires a very targeted
> attack, I would lean towards this not needing a CVE, but that's your
> call.

Since they fixed it, and it is a plausible attack, I'm assigning this
CVE-2010-1160

> 
> 2.  When backup files are enabled and root is editing a file by an
> untrusted user, that user may exploit race conditions in the creation of
> backup files to take ownership of arbitrary files.  While the scenario
> for exploitation is somewhat unlikely (root editing untrusted files),
> this attack can be done reliably and without requiring precise timing, so
> this seems to be a good candidate for a CVE.
> 

CVE-2010-1161

Thanks.

-- 
    JB
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic