GNU sed In-Place Edit and Symlink Follow Vulnerability Allowing Arbitrary File Overwrite

A vulnerability exists in GNU sed versions from 4.1e prior to 4.10, when the tool is used with the '-i' option for in-place editing and '--follow-symlinks'. The issue arises from a time-of-check time-of-use (TOCTOU) race condition, where the 'open_next_file()' function performs two separate, non-atomic operations on the same symlinked path. First, it resolves the symlink to its target and records the resolved path for output purposes. Then, it opens the original symlink path to read the file. This creates a race window during which an attacker could replace the symlink with a different target. As a result, sed could read content from the new, attacker-chosen target and write the processed output to the previously recorded path, leading to an arbitrary file overwrite with attacker-controlled content.

Impact

Exploitation of this vulnerability allows for arbitrary file overwrites with content chosen by the attacker, within the context of the sed process.

Remediation

Users can upgrade to GNU sed version 4.10 or later to address this vulnerability.