Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution

To: "Steven M. Christey" <coley@xxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
From: "Jan Minář" <rdancer@xxxxxxxxxxx>
Date: Sat, 26 Jul 2008 13:33:24 +0100
Cc: "Robert Buchholz" <rbu@xxxxxxxxxx>, vim-dev@xxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=8KT+3ziQOEazxZjlOXXJyJ3EaOmtkYy4HbPE/qfZCpk=; b=j/YFcgH0vSmWFCMpKySZg9wu8Ye/EzlTjY3rW0wT8VYnQtqdhctVY6Vd5oLYwaUksG zQ9x70zJzJRohPbMXsAb3wKSiNmLgDhnVwQdngSAGVZogvGRYDHY9yefMllqfXBdJKCy NfBXqr2kBNci2TRe/saqePebIiHdOudv9l9fo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=Ze0Sims61mFysqf565cD2+LoHb0uwv6eD+fuOki6J9jve/QYuMgcEufF0RgwRHGYry neWFqM8SEn5oyC81eTwNhjbtzuc4jA1rqeCJ1iRc4jSY/6rItHzhTho9K5nRCGDrwxSS h9ac/XklHJr2ZlyM+mj2Iwn8RruCixNfd6/nc=
In-reply-to: <Pine.GSO.4.51.0807251156230.29569@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6edf76c20807171554n255ccd8cka58ca41dc1fca7b0@xxxxxxxxxxxxxx> <200807250317.30880.rbu@xxxxxxxxxx> <6edf76c20807241916j39f3f5b2i9d23e9caa49fca0@xxxxxxxxxxxxxx> <Pine.GSO.4.51.0807251156230.29569@xxxxxxxxxxxxxxx>
Sender: rdancer@xxxxxxxxx

On Fri, Jul 25, 2008 at 4:57 PM, Steven M. Christey
<coley@xxxxxxxxxxxxxxx> wrote:
>
> On Fri, 25 Jul 2008, [UTF-8] Jan MináÅ^Y wrote:
>
>> > The commands do not have to be written there between (1) and (2), they
>> > can be in the file long before the ./configure was started -- just
>> > because the script does care whether it can write to the file at all.
>> > So unlike stated in the advisory, and in CVE-2008-3294, the issue does
>> > not involve a race condition if the attacker would choose to create a
>> > 644 file.
>>
>> The file gets truncated in (1).  You're wrong, the advisory is right.
>
> Maybe the point here is that if the attacker owns the file and sets 644
> permissions, then the truncation won't happen since ./configure won't have
> the permissions to modify the file.

I stand corrected.  I have updated the advisory.  Thanks, Robert.
Thanks to Steven for rephrasing.

Jan.

References:
- Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
  - From: Jan Minář
- Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
  - From: Robert Buchholz
- Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
  - From: Jan Minář
- Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
  - From: Steven M. Christey

Prev by Date: [SECURITY] [DSA 1618-1] New ruby1.9 packages fix several vulnerabilities
Next by Date: [SECURITY] [DSA 1619-1] New python-dns packages fix DNS response spoofing
Previous by thread: Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
Next by thread: Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
Index(es):
- Date
- Thread