ports/59088: ports [nvi-perl] pnview writes files - security problem

Bruce Gingery expires20031214T0931MST at gtcs.com
Sun Nov 9 18:00:33 UTC 2003 

>Number:         59088
>Category:       ports
>Synopsis:       Security problem in nvi-perl port
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 09 10:00:31 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Bruce Gingery <expires20031214T0931MST at gtcs.com>
>Release:        FreeBSD 4.2-RELEASE/4.9-RELEASE i386
>Organization:
Advanced Integrators
>Environment:

        FreeBSD (known in-use versions) with the editors/nvi-perl port

>Description:

        The nvi-perl port installs nvi linked with perl scripting
        as /usr/local/bin/pnvi, and view linked with perl scripting
        as /usr/local/bin/pnview.  The effective difference is
        SUPPOSED to be that all files are read-only in the "view"
        variants.

        This safeguard fails.

        Note that this port should also warn that the editor
        runs with the full power of perl and may interact with
        an X environment, or act as a network client or server.
        But that's a feature allowing LWP or comparable parsing
        of remote content into an editor session.

        If this is a bug in the underlying nvi distribution,
        rather than the perl variant, extreme care should be
        exercised if the standard installed vi/nvi view/nview
        are replaced (or supplemented) with other ports based
        on this distribution.  pnvi, itself, works well and
        should remain in the ports.

>How-To-Repeat:

        Install nvi-perl port.
        Open a file (existing or not) with /usr/local/bin/pnview
        Edit it
        Save the file (Escape-Colon-w-q)

>Fix:

        Workaround  - remove /usr/local/bin/pnview

        Caveat: There is no reason for it to be included, as the 
        underlying perl could modify files even if this "bug" were 
        fixed.

	This port is not installed by default.  The same error
	probably exists in "tnview"  (linked with Tcl) for which
	there is currently no official port.  The same caveat
	DOES exist, unless preload of a safe restricted interpreter
	is scripted and force-loaded.


>Release-Note:
>Audit-Trail:
>Unformatted:
 X-send-pr-version: 3.2 (copied for corrected mail headers)

More information about the freebsd-ports-bugs mailing list