Vim tcltags Script Symlink Arbitrary File Overwrite

2005-01-13T09:53:27
ID OSVDB:12882
Type osvdb
Reporter Javier Fernandez-Sanguino Pena(jfs@computer.org)
Modified 2005-01-13T09:53:27

Description

Vulnerability Description

The tcltags script distributed with vim uses an insecure method to create temporary files. This could allow an attacker to read or possibly change files without appropriate permissions, resulting in a loss of integrity.

Technical Description

At line 11, the tcltags script initializes the following variable: tmp_tagfile=/tmp/$.$$

All components of this variable are predictable ($$ being the fairly easily predictable from the PID of the vim session), and a consequently subject to a symlink attack.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Javier has released a patch to address this vulnerability.

Short Description

The tcltags script distributed with vim uses an insecure method to create temporary files. This could allow an attacker to read or possibly change files without appropriate permissions, resulting in a loss of integrity.

References:

Vendor URL: http://www.vim.org/ Security Tracker: 1012938 Secunia Advisory ID:13841 Secunia Advisory ID:14115 Secunia Advisory ID:13847 Secunia Advisory ID:13891 Secunia Advisory ID:14356 Related OSVDB ID: 12883 RedHat RHSA: RHSA-2005:122 Other Solution URL: http://bugs.debian.org/cgi-bin/bugreport.cgi/vim-6.3.diff?bug=289560&msg=3&att=1 Other Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-61-1 Other Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:029 ISS X-Force ID: 18870 CVE-2005-0069