oss-security April 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: [oss-security] CVE request: GNU nano (minor)

[oss-security] CVE request: GNU nano (minor)

From: Dan Rosenberg <dan.j.rosenberg_at_nospam>
Date: Wed Apr 14 2010 - 15:22:32 GMT
To: oss-security@lists.openwall.com

Two issues were recently addressed upstream for GNU nano to provide
better security when editing files owned by other untrusted users,
especially when editing as root. I'm not sure if either of these
issues require CVE identifiers due to the narrow circumstances in
which they can be exploited, but I figured I'd leave that up to you.

Changelog is at
http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?root=nano&view=log,
relevant entries at revisions 4490, 4491, 4493, and 4496.

1. When editing a file owned by another user, the owner of the file
may replace the file mid-editing with a symbolic link, resulting in
the editor overwriting the target of the symbolic link on saving with
the privileges of the user doing the editing, without any warning to
the editor. Since this could be considered akin to replacing a target
being chown'd or chmod'd with a symbolic link and requires a very
targeted attack, I would lean towards this not needing a CVE, but
that's your call.

2. When backup files are enabled and root is editing a file by an
untrusted user, that user may exploit race conditions in the creation
of backup files to take ownership of arbitrary files. While the
scenario for exploitation is somewhat unlikely (root editing untrusted
files), this attack can be done reliably and without requiring precise
timing, so this seems to be a good candidate for a CVE.

Thanks,
Dan Rosenberg