expreserve, the helper program for vi that recovers the file you
were editing when your connection dropped or the machine crashed,
has been discovered to offer yet another opportunity for someone
with an ordinary login on your system to overwrite any file on the
system (and hence to become super-user as well). I'm not sure if
this is a new botch, or just a rerun of an old one; expreserve has
been serving up security holes since at least 1983.
According to the advisory:
HP and Sun have patches
DG claims not to be vulnerable, but to have included the fix
in their next release anyway
BSDI, Cray, Digital, IBM, NeXT, OSF, and SCO claim not to be
vulnerable, or to have fixed the problem in their current systems.
If your system is vulnerable, you can paper over the problem by
turning off execute permissions for /usr/lib/expreserve; this will
close the hole, albeit at the cost of disabling vi crash recovery.
For the full text of the advisory, see
ftp://info.cert.org/pub/cert_advisories/CA-96.19.expreserve
|