Summary: | <app-editors/nano-2.2.4 multiple vulnerabilities (CVE-2010-{1160,1161}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tomás Touceda (RETIRED) <chiiph> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hkmaly, vapier |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?root=nano&view=log | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tomás Touceda (RETIRED)
2010-04-14 22:47:23 UTC
it's in the tree now CVE-2010-1160 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1160): GNU nano before 2.2.4 does not verify whether a file has been changed before it is overwritten in a file-save operation, which allows local user-assisted attackers to overwrite arbitrary files via a symlink attack on an attacker-owned file that is being edited by the victim. CVE-2010-1161 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1161): Race condition in GNU nano before 2.2.4, when run by root to edit a file that is not owned by root, allows local user-assisted attackers to change the ownership of arbitrary files via vectors related to the creation of backup files. Arches, please test and mark stable: =app-editors/nano-2.2.4 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Tested on x86: Everything fine stable x86, thanks Thomas Stable for HPPA. alpha/arm/ia64/m68k/s390/sh/sparc stable amd64 stable ppc done ppc64 done too All arches done. GLSA request filled. Can I ask what's with that glsa ? (In reply to comment #12) > Can I ask what's with that glsa ? We have a huge backlog and it will take some time. GLSA 201006-08 |