nano-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nano-devel] New prerelease for security tweaks

From: Mike Frysinger
Subject: Re: [Nano-devel] New prerelease for security tweaks
Date: Wed, 7 Apr 2010 16:44:32 -0400
User-agent: KMail/1.13.1 (Linux/2.6.33.2; KDE/4.4.1; x86_64; ; ) 
On Wednesday 07 April 2010 02:41:19 Chris Allegretta wrote:
> Now that the AFJ fun is hopefully behind us,  we recently received
> some new attention from a security perspective, and an article was
> published on symlink attacks when running nano as root.  The article
> is at http://drosenbe.blogspot.com/2010/03/nano-as-root.html if you're
> interested.
> 
> The risk of a successful attack is somewhat small if you aren't in the
> habit of editing files in user's home directories or /tmp, but the
> issues presented are certainly legitimate.  Dude to this I've included
> some fixes for the modification checks and backup file writing in svn.
>  Unfortunately to implement that I had to break string freeze, so the
> updated PO file has been submitted so we're looking at two weeks
> before an official release if we want to follow normal procedure.
> Given the risk I think it's okay to wait the two weeks, since someone
> may wan to suggest a better fix than what's done so far.
> 
> Anyway, if you're interested in trying out the fixes, the pre2 release
> is at http://www.nano-editor.org/dist/test/nano-2.2.4pre2.tar.gz

seems nano now segfaults when doing something simple like writing to a file 
that doesnt exist yet

rm -f foo
nano foo
ctrl+o
segfault
-mike

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to
[Prev in Thread] Current Thread [Next in Thread]