ports/59088: ports [nvi-perl] pnview writes files - security problem
Bruce Gingery
expires20031214T0931MST at gtcs.com
Sun Nov 9 18:00:33 UTC 2003
>Number: 59088
>Category: ports
>Synopsis: Security problem in nvi-perl port
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Nov 09 10:00:31 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Bruce Gingery <expires20031214T0931MST at gtcs.com>
>Release: FreeBSD 4.2-RELEASE/4.9-RELEASE i386
>Organization:
Advanced Integrators
>Environment:
FreeBSD (known in-use versions) with the editors/nvi-perl port
>Description:
The nvi-perl port installs nvi linked with perl scripting
as /usr/local/bin/pnvi, and view linked with perl scripting
as /usr/local/bin/pnview. The effective difference is
SUPPOSED to be that all files are read-only in the "view"
variants.
This safeguard fails.
Note that this port should also warn that the editor
runs with the full power of perl and may interact with
an X environment, or act as a network client or server.
But that's a feature allowing LWP or comparable parsing
of remote content into an editor session.
If this is a bug in the underlying nvi distribution,
rather than the perl variant, extreme care should be
exercised if the standard installed vi/nvi view/nview
are replaced (or supplemented) with other ports based
on this distribution. pnvi, itself, works well and
should remain in the ports.
>How-To-Repeat:
Install nvi-perl port.
Open a file (existing or not) with /usr/local/bin/pnview
Edit it
Save the file (Escape-Colon-w-q)
>Fix:
Workaround - remove /usr/local/bin/pnview
Caveat: There is no reason for it to be included, as the
underlying perl could modify files even if this "bug" were
fixed.
This port is not installed by default. The same error
probably exists in "tnview" (linked with Tcl) for which
there is currently no official port. The same caveat
DOES exist, unless preload of a safe restricted interpreter
is scripted and force-loaded.
>Release-Note:
>Audit-Trail:
>Unformatted:
X-send-pr-version: 3.2 (copied for corrected mail headers)
More information about the freebsd-ports-bugs
mailing list