Comment 9 for bug 16700

Message-ID: <email address hidden>
Date: Tue, 3 May 2005 22:52:41 -0400
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2005-1119

--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

As I read http://www.securityfocus.com/bid/13171/discussion/ , which has
been assigned CVE id CAN-2005-1119, this is a security hole because
visodo is not limited to editing /etc/sudoers. With the -f switch, it
can be made to edit some other file; if that other file is in a
directory to which an attacker has write access, they can overwrite
arbitrary files via a symlink attack.

Still fairly theoretical, but I wanted to note that this is
CAN-2005-1119 ..

--=20
see shy jo

--0F1p//8PRICkK4MW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCeDj5d8HHehbQuO8RAiBgAKCiubC4WTlJeuc0fMSZXJ1suW5EdgCfXIKQ
YzIjM6k+E5mCept5pZmEdUo=
=p7vS
-----END PGP SIGNATURE-----

--0F1p//8PRICkK4MW--