Date: Sun, 9 Nov 2003 10:54:52 -0700 (MST) From: Bruce Gingery <expires20031214T0931MST@gtcs.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/59088: ports [nvi-perl] pnview writes files - security problem Message-ID: <200311091754.hA9HsqN04728.smij@home.gtcs.com> Resent-Message-ID: <200311091800.hA9I0Vrv091345@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 59088 >Category: ports >Synopsis: Security problem in nvi-perl port >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Nov 09 10:00:31 PST 2003 >Closed-Date: >Last-Modified: >Originator: Bruce Gingery <expires20031214T0931MST@gtcs.com> >Release: FreeBSD 4.2-RELEASE/4.9-RELEASE i386 >Organization: Advanced Integrators >Environment: FreeBSD (known in-use versions) with the editors/nvi-perl port >Description: The nvi-perl port installs nvi linked with perl scripting as /usr/local/bin/pnvi, and view linked with perl scripting as /usr/local/bin/pnview. The effective difference is SUPPOSED to be that all files are read-only in the "view" variants. This safeguard fails. Note that this port should also warn that the editor runs with the full power of perl and may interact with an X environment, or act as a network client or server. But that's a feature allowing LWP or comparable parsing of remote content into an editor session. If this is a bug in the underlying nvi distribution, rather than the perl variant, extreme care should be exercised if the standard installed vi/nvi view/nview are replaced (or supplemented) with other ports based on this distribution. pnvi, itself, works well and should remain in the ports. >How-To-Repeat: Install nvi-perl port. Open a file (existing or not) with /usr/local/bin/pnview Edit it Save the file (Escape-Colon-w-q) >Fix: Workaround - remove /usr/local/bin/pnview Caveat: There is no reason for it to be included, as the underlying perl could modify files even if this "bug" were fixed. This port is not installed by default. The same error probably exists in "tnview" (linked with Tcl) for which there is currently no official port. The same caveat DOES exist, unless preload of a safe restricted interpreter is scripted and force-loaded. >Release-Note: >Audit-Trail: >Unformatted: X-send-pr-version: 3.2 (copied for corrected mail headers)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311091754.hA9HsqN04728.smij>