Bug 37771 - symlinks/vi allows creation of arbitrary files.
Summary: symlinks/vi allows creation of arbitrary files.
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: vim
Version: 7.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Karsten Hopp
QA Contact: David Lawrence
Keywords: Security
: 60338 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2001-04-26 11:02 UTC by Need Real Name
Modified: 2007-04-18 16:32 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2003-04-03 09:23:36 UTC

Attachments (Terms of Use)

Description Need Real Name 2001-04-26 11:02:56 UTC
The .swp files from vi follow symlinks.

as User 1
bash$ cd /tmp;ln -s somefile .wahoo.swp
as User 2
bash# cd /tmp;vi /tmp/wahoo
bash# ls -al /tmp/somefile
-rw-------    1 root     root         4096 Apr 26 22:56 somefile

crontab does a chdir("/tmp") before it loads the editor... 
if root edits his crontab file, then it would be possible to
create a file with anyname (that didn't already exist) as root anywhere on
the disk.

This, according to an email discussion with Bram Moolenaar
<Bram@moolenaar.net> this has been fixed in the latest version.

(crontab root shell exploit available on request)

Comment 1 Bernhard Rosenkraenzer 2001-04-26 15:51:17 UTC
We released an errata to address this a while ago.

Comment 2 Need Real Name 2001-04-26 16:38:59 UTC
I've looked at http://www.redhat.com/support/errata/rh7-errata.html for the
errata, but couldn't see anything to do with vim packages there.

I also checked ftp://ftp.redhat.com/pub/redhat/linux/updates/7.0/en/os/i386 for
updated versions of vim but the latest copy there is the same as I am using.

Could you tell me where the errata is?

Comment 3 Need Real Name 2001-07-01 12:37:50 UTC
Again, I'm asking:
 If there was an errata for this, where is it?
 And if there was an errata for this, why is my Redhat 7.0 system, updated
 with up2date vulnerable?

Comment 4 Bill Huang 2002-06-17 03:03:05 UTC
*** Bug 60338 has been marked as a duplicate of this bug. ***

Comment 5 Karsten Hopp 2002-06-25 21:41:42 UTC
the current vim uses mktemp to create its tmp and swap files, therefore the filenames 
can't be guessed anymore.

Comment 6 Need Real Name 2002-08-26 11:25:51 UTC

Did you actually try the exploit listed on 


on redhat 7.0? Marking this as closed seems to be a little premature.

To the best of my knowledge (please correct me if I am wrong) RedHat 7.0 is 
still supported, and security errata are still published for it.

I tried the exploit listed a few minutes ago and it still works.

bash-2.04$ id
uid=500(evil) gid=500(evil) groups=500(evil)
bash-2.04$ ls -al /evil 
-rw-------    1 root     root        12288 Aug 26 23:16 /evil

Comment 7 Kjartan Maraas 2003-04-02 22:09:20 UTC
Doesn't seem to be the case on RHL 9 any more.

Comment 8 Karsten Hopp 2003-04-03 09:23:36 UTC
should be fixed in 7.x as well with the latest errata vim-6.1-18.7x.2 

Note You need to log in before you can comment on or make changes to this bug.