Bug 37771
Summary: | symlinks/vi allows creation of arbitrary files. | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Need Real Name <empathy> |
Component: | vim | Assignee: | Karsten Hopp <karsten> |
Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | dr, kmaraas |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-04-03 09:23:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Need Real Name
2001-04-26 11:02:56 UTC
We released an errata to address this a while ago. I've looked at http://www.redhat.com/support/errata/rh7-errata.html for the errata, but couldn't see anything to do with vim packages there. I also checked ftp://ftp.redhat.com/pub/redhat/linux/updates/7.0/en/os/i386 for updated versions of vim but the latest copy there is the same as I am using. Could you tell me where the errata is? Hello? Again, I'm asking: If there was an errata for this, where is it? And if there was an errata for this, why is my Redhat 7.0 system, updated with up2date vulnerable? *** Bug 60338 has been marked as a duplicate of this bug. *** the current vim uses mktemp to create its tmp and swap files, therefore the filenames can't be guessed anymore. Hi! Did you actually try the exploit listed on http://www.opennet.ru/base/exploits/993573483_269.txt.html on redhat 7.0? Marking this as closed seems to be a little premature. To the best of my knowledge (please correct me if I am wrong) RedHat 7.0 is still supported, and security errata are still published for it. I tried the exploit listed a few minutes ago and it still works. bash-2.04$ id uid=500(evil) gid=500(evil) groups=500(evil) bash-2.04$ ls -al /evil -rw------- 1 root root 12288 Aug 26 23:16 /evil bash-2.04$ Doesn't seem to be the case on RHL 9 any more. should be fixed in 7.x as well with the latest errata vim-6.1-18.7x.2 |