Title: FreeBSD libedit ".editrc" from Current Directory Vulnerability
Severity: LOW
Description:
If an ".editrc" file exists in the current directory, libedit will incorrectly read its configuration from that file. The correct behaviour is to read ".editrc" from the user's home directory.
Additionally, libedit will not check the ownership of .editrc. Therefore, by creating an .editrc file in the directory from which an application linked to libedit is run, an attacker can cause the application to execute arbitrary key rebindings and exercise terminal capabilities.
ftp(1), for example, is linked to libedit and includes the ability to escape to a shell and execute a command.
The following is believed to be a complete list of statically and dynamically linked FreeBSD system utilities which link against libedit:
/bin/sh
/sbin/fsdb
/usr/bin/ftp
/usr/sbin/cdcontrol
/usr/sbin/lpc
/usr/sbin/nslookup
/usr/sbin/pppctl
Affected Products:
- FreeBSD FreeBSD 3.0.0
- FreeBSD FreeBSD 3.1.0
- FreeBSD FreeBSD 3.2.0
- FreeBSD FreeBSD 3.3.0
- FreeBSD FreeBSD 3.4.0
- FreeBSD FreeBSD 4.0.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
