Linenoise TOCTOU Vulnerability in History Management Allows Arbitrary File Overwrite and Permission Changes
Vulnerability
A time-of-check to time-of-use (TOCTOU) vulnerability has been identified in the 'linenoise' library, specifically within the 'linenoiseHistorySave' function. This vulnerability allows local attackers to overwrite arbitrary files and modify permissions through a symlink race attack. The issue arises because 'linenoiseHistorySave' first opens a file for writing using 'fopen' and then applies a 'chmod' command on the same file path. An attacker can exploit this timing difference by placing a symlink that points to a sensitive file between these two operations, leading to unauthorized file modifications or permission changes.
Impact
Exploitation of this vulnerability results in arbitrary file overwrites with the privileges of the process using 'linenoise', as well as unintended permission changes on unrelated files. Additionally, it bypasses the confidentiality of the history file, which could have implications for downstream consumers like 'redis-cli'.
Remediation
Users are advised to update to the latest version of 'linenoise', where this vulnerability has been addressed. The official GitHub repository contains the patched version.