elvis-tiny File Overwrite Vulnerability

Elvis-tiny is a compact vi-compatible text editor.

Due to a flaw in the program's creation and naming of temporary files, a race condition exists which could allow a properly-timed attack to read or overwrite data from files created using the vulnerable application. The affected files would be limited to those which are writable by the target user.

Depending on the privileges of the target user using Elvis, this could yield an elevation of privileges to the attacker, a denial of service, or further compromise of the host's security.


Privacy Statement
Copyright 2010, SecurityFocus