Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 14 Apr 2010 15:22:05 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Chris Allegretta <chrisa@...y.org>, coley <coley@...re.org>
Subject: Re: CVE request: GNU nano (minor)

----- "Dan Rosenberg" <dan.j.rosenberg@...il.com> wrote:

> Two issues were recently addressed upstream for GNU nano to provide
> better security when editing files owned by other untrusted users,
> especially when editing as root.  I'm not sure if either of these
> issues require CVE identifiers due to the narrow circumstances in
> which they can be exploited, but I figured I'd leave that up to you.
> 
> Changelog is at
> http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?root=nano&view=log,
> relevant entries at revisions 4490, 4491, 4493, and 4496.
> 
> 1.  When editing a file owned by another user, the owner of the file may
> replace the file mid-editing with a symbolic link, resulting in the
> editor overwriting the target of the symbolic link on saving with the
> privileges of the user doing the editing, without any warning to the
> editor.  Since this could be considered akin to replacing a target being
> chown'd or chmod'd with a symbolic link and requires a very targeted
> attack, I would lean towards this not needing a CVE, but that's your
> call.

Since they fixed it, and it is a plausible attack, I'm assigning this
CVE-2010-1160

> 
> 2.  When backup files are enabled and root is editing a file by an
> untrusted user, that user may exploit race conditions in the creation of
> backup files to take ownership of arbitrary files.  While the scenario
> for exploitation is somewhat unlikely (root editing untrusted files),
> this attack can be done reliably and without requiring precise timing, so
> this seems to be a good candidate for a CVE.
> 

CVE-2010-1161

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.