GNU bug report logs - #60425
Maybe a security issue

Previous Next

Package: sed;

Reported by: Fabio Luiz Barbosa <fabio.barbosa <at> nzn.io>

Date: Fri, 30 Dec 2022 07:05:01 UTC

Severity: normal

To reply to this bug, email your comments to 60425 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-sed <at> gnu.org:
bug#60425; Package sed. (Fri, 30 Dec 2022 07:05:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Fabio Luiz Barbosa <fabio.barbosa <at> nzn.io>:
New bug report received and forwarded. Copy sent to bug-sed <at> gnu.org. (Fri, 30 Dec 2022 07:05:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Fabio Luiz Barbosa <fabio.barbosa <at> nzn.io>
To: bug-sed <at> gnu.org
Subject: Maybe a security issue
Date: Thu, 29 Dec 2022 13:48:58 -0300
[Message part 1 (text/plain, inline)]
Hi there,

so I was doing a test but am unsure if it is a bug from sed or a known
behavior from sed nor if it is considered a security issue.

On the test, I was able to "write" in a file that the permission is 400 the
only way to "avoid it" is to alter the permission to 000.

Using setfacl or other means to manipulate the permission level was not
effective.

If this is a known issue from sed, from internal sed "working way" or it
was already fixed in newer versions please do not consider this message.

====================================================================
sed --version
sed (GNU sed) 4.7
Packaged by Debian
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <
https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Jay Fenlason, Tom Lord, Ken Pizzini,
Paolo Bonzini, Jim Meyering, and Assaf Gordon.
GNU sed home page: <https://www.gnu.org/software/sed/>.
General help using GNU software: <https://www.gnu.org/gethelp/>.
E-mail bug reports to: <bug-sed <at> gnu.org>
[Message part 2 (text/html, inline)]

This bug report was last modified 1 year and 311 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.