Bug 37771
| Summary: | symlinks/vi allows creation of arbitrary files. | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Need Real Name <empathy> |
| Component: | vim | Assignee: | Karsten Hopp <karsten> |
| Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | dr, kmaraas |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-04-03 09:23:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
We released an errata to address this a while ago. I've looked at http://www.redhat.com/support/errata/rh7-errata.html for the errata, but couldn't see anything to do with vim packages there. I also checked ftp://ftp.redhat.com/pub/redhat/linux/updates/7.0/en/os/i386 for updated versions of vim but the latest copy there is the same as I am using. Could you tell me where the errata is? Hello? Again, I'm asking: If there was an errata for this, where is it? And if there was an errata for this, why is my Redhat 7.0 system, updated with up2date vulnerable? *** Bug 60338 has been marked as a duplicate of this bug. *** the current vim uses mktemp to create its tmp and swap files, therefore the filenames can't be guessed anymore. Hi! Did you actually try the exploit listed on http://www.opennet.ru/base/exploits/993573483_269.txt.html on redhat 7.0? Marking this as closed seems to be a little premature. To the best of my knowledge (please correct me if I am wrong) RedHat 7.0 is still supported, and security errata are still published for it. I tried the exploit listed a few minutes ago and it still works. bash-2.04$ id uid=500(evil) gid=500(evil) groups=500(evil) bash-2.04$ ls -al /evil -rw------- 1 root root 12288 Aug 26 23:16 /evil bash-2.04$ Doesn't seem to be the case on RHL 9 any more. should be fixed in 7.x as well with the latest errata vim-6.1-18.7x.2 |
The .swp files from vi follow symlinks. as User 1 bash$ cd /tmp;ln -s somefile .wahoo.swp as User 2 bash# cd /tmp;vi /tmp/wahoo :q bash# ls -al /tmp/somefile -rw------- 1 root root 4096 Apr 26 22:56 somefile crontab does a chdir("/tmp") before it loads the editor... if root edits his crontab file, then it would be possible to create a file with anyname (that didn't already exist) as root anywhere on the disk. This, according to an email discussion with Bram Moolenaar <Bram> this has been fixed in the latest version. (crontab root shell exploit available on request)