search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

/usr/libexec/vi.recover script contains vulnerability allowing arbitrary zero-length files to be removed

Vulnerability Note VU#191675

Original Release Date: 2002-09-16 | Last Revised: 2003-09-18

Overview

The /usr/libexec/vi.recover script in OpenBSD has a vulnerability that could allow an attacker to remove arbitrary zero-length files, including device nodes.

Description

The /usr/libexec/vi.recover script in OpenBSD cleans up vi temp files and informs a user via email if a recovery file exists for an aborted vi session. The vi.recover script is reported to contain an unspecified vulnerability that may allow the removal of arbitrary zero-length files, including device nodes.

The vi.recover script in OpenBSD is a perl adaptation of a shell script from the nvi package, which is also reported to be vulnerable and may be present in other UNIX-based operating systems.

This vulnerability is fixed in OpenBSD 3.1.

Impact

An attacker may be able to remove arbitrary zero-length files. This could allow a local attacker to cause a local denial of service by removing devices or files that enable services.

Solution

Obtain a patch for your system from one the following URLs.

For OpenBSD-2.9:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/016_recover.patch

For OpenBSD-3.0:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/007_recover.patch


Another alternative is to remove /usr/libexec/vi.recover.

Vendor Information

191675
 
Expand all

OpenBSD Affected

Notified:  August 05, 2002 Updated: December 10, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc. Not Affected

Notified:  June 07, 2002 Updated: July 31, 2002

Status

Not Affected

Vendor Statement

Mac OS X does not ship with vi.recover.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc. Not Affected

Notified:  June 07, 2002 Updated: July 31, 2002

Status

Not Affected

Vendor Statement

Cray, Inc. is not vulnerable as the vi that is released with Unicos, Unicos/mk, and the MTA is based on a different version and does not contain this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Not Affected

Updated:  July 31, 2002

Status

Not Affected

Vendor Statement

FreeBSD does not have this vulnerability. Rather than removing files listed on the X-vi-recover-path: line, the owner of the recover file is simply notified via email.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Not Affected

Notified:  June 07, 2002 Updated: July 31, 2002

Status

Not Affected

Vendor Statement

Regarding the vi.recover vulnerability described in VU#191675, we have determined that the Fujitsu UXP/V operating system is not affected because the implementation of the vi.recover command in UXP/V is different from the one described in VU#191675.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Not Affected

Notified:  June 07, 2002 Updated: July 31, 2002

Status

Not Affected

Vendor Statement

IRIX is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Not Affected

Notified:  June 07, 2002 Updated: July 31, 2002

Status

Not Affected

Vendor Statement

Solaris uses /usr/lib/expreserve and /usr/lib/exrecover for the related functions, both are binaries and not perl scripts and aren't believed to be affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Todd C. Miller for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 0.45
Date Public: 2001-01-15
Date First Published: 2002-09-16
Date Last Updated: 2003-09-18 20:02 UTC
Document Revision: 14

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis