From unknown Sat Jun 14 03:47:35 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#60425 <60425@debbugs.gnu.org>
To: bug#60425 <60425@debbugs.gnu.org>
Subject: Status: Maybe a security issue
Reply-To: bug#60425 <60425@debbugs.gnu.org>
Date: Sat, 14 Jun 2025 10:47:35 +0000

retitle 60425 Maybe a security issue
reassign 60425 sed
submitter 60425 Fabio Luiz Barbosa <fabio.barbosa@nzn.io>
severity 60425 normal

thanks


From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 30 02:04:30 2022
Received: (at submit) by debbugs.gnu.org; 30 Dec 2022 07:04:30 +0000
Received: from localhost ([127.0.0.1]:33468 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pB9RN-0006Fx-9Q
	for submit@debbugs.gnu.org; Fri, 30 Dec 2022 02:04:30 -0500
Received: from lists.gnu.org ([209.51.188.17]:51390)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fabio.barbosa@gruponzn.com>) id 1pAw60-0002t5-3M
 for submit@debbugs.gnu.org; Thu, 29 Dec 2022 11:49:32 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <fabio.barbosa@gruponzn.com>)
 id 1pAw5z-0007Rz-8K
 for bug-sed@gnu.org; Thu, 29 Dec 2022 11:49:31 -0500
Received: from mail-ej1-x62a.google.com ([2a00:1450:4864:20::62a])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <fabio.barbosa@gruponzn.com>)
 id 1pAw5w-0006Xh-J8
 for bug-sed@gnu.org; Thu, 29 Dec 2022 11:49:30 -0500
Received: by mail-ej1-x62a.google.com with SMTP id ud5so46265357ejc.4
 for <bug-sed@gnu.org>; Thu, 29 Dec 2022 08:49:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=nzn-io.20210112.gappssmtp.com; s=20210112;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=V409sp3+7/x4Z33vweDZIYrtZdgCHvBiTQ3a9s/oLj0=;
 b=cCrRoSWoIswNpdh4YsPOG5tY3kB9onGRDLIrh2ldJnR1+M/+Xm4fegwWAaa8pE7p8V
 PIvs88C7GlwBMLFntVWaUWw2/+gOWlLXnDDUHCRs9oyhW6sYYVPoZotvI/BoTU5i2iLR
 yCvoDx+0ApxUrj0HkAv2619PJbxRph9LkiFYbuvtSk3ozCBP22OOl9y7S5LdiYHDiFrX
 B9ag+Rb2DcVUC0vnCSDd3p+GHPtIsuBi9NK8TncaZNb07q7jQQXYkpfFwZqGmWk2D+zH
 3CN/UO4O6F8R0tX8nPMP3fzC1h1GbPUj8UEBjkLwl98aTZb9V439iGCoABLg7tIHWhhF
 CCjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=V409sp3+7/x4Z33vweDZIYrtZdgCHvBiTQ3a9s/oLj0=;
 b=R5XqkBMVtVdhXExP0GeaGS9nJC4SyzVfVElmW++suGMxk4aymdTyRM+8DfjVYiZVgK
 EA57X1MAjFrlN7GkEdgvVLyr0ocBoZhS6P6hErFpYaxZI2KF6uY2mLEt7Kwiy3zMRFsF
 xQ8xs9xeLD9Dknk/I8VnqZu/2hq7aGkuhIfIokGtUNd8+gA7UiJ+U423QAux3cjn5E14
 B1FjmrC7Ogx9HDNVvuB5nqTaH25aih5XUPsZk7LPK4hKgtdWpJ8rtgVAp7UTg2rLrZqK
 Oi6udD1X/SZPcTxTD7DzyGOv7npFyJ4CLOkRk3szpLMtqbvJ5RXfeBX9sV86v3XmZB1v
 XB3A==
X-Gm-Message-State: AFqh2krw2gj6z3AU0uk9YGmFjWq+su7FLaWpyWcZSJjwW6GA5/ixv9rQ
 rwKZ6CnYoYfisENW4tTtKuojNfA5staBMnSAmo4NwGylUGhFylDe
X-Google-Smtp-Source: AMrXdXuVMNTzwJ1IfvCTo71IZwAQd+Tdwk8Vp2XMXb0UJ1JHQ0kSczKKyr48H0A57/6MalbqfAWltE3Cdz2twx8edCQ=
X-Received: by 2002:a17:907:a510:b0:7c0:e060:e819 with SMTP id
 vr16-20020a170907a51000b007c0e060e819mr3789369ejc.763.1672332565553; Thu, 29
 Dec 2022 08:49:25 -0800 (PST)
MIME-Version: 1.0
From: Fabio Luiz Barbosa <fabio.barbosa@nzn.io>
Date: Thu, 29 Dec 2022 13:48:58 -0300
Message-ID: <CAAbRZmrkSwj2B9kwg-z7RXaDS-JgAz_tithOrrE7dmBKT8f1yg@mail.gmail.com>
Subject: Maybe a security issue
To: bug-sed@gnu.org
Content-Type: multipart/alternative; boundary="0000000000008438ce05f0fa4474"
Received-SPF: pass client-ip=2a00:1450:4864:20::62a;
 envelope-from=fabio.barbosa@gruponzn.com; helo=mail-ej1-x62a.google.com
X-Spam_score_int: -15
X-Spam_score: -1.6
X-Spam_bar: -
X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Fri, 30 Dec 2022 02:04:28 -0500
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--0000000000008438ce05f0fa4474
Content-Type: text/plain; charset="UTF-8"

Hi there,

so I was doing a test but am unsure if it is a bug from sed or a known
behavior from sed nor if it is considered a security issue.

On the test, I was able to "write" in a file that the permission is 400 the
only way to "avoid it" is to alter the permission to 000.

Using setfacl or other means to manipulate the permission level was not
effective.

If this is a known issue from sed, from internal sed "working way" or it
was already fixed in newer versions please do not consider this message.

====================================================================
sed --version
sed (GNU sed) 4.7
Packaged by Debian
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <
https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Jay Fenlason, Tom Lord, Ken Pizzini,
Paolo Bonzini, Jim Meyering, and Assaf Gordon.
GNU sed home page: <https://www.gnu.org/software/sed/>.
General help using GNU software: <https://www.gnu.org/gethelp/>.
E-mail bug reports to: <bug-sed@gnu.org>

--0000000000008438ce05f0fa4474
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi there,</div><div><br></div><div>so I was doing a t=
est but am unsure if it is a bug from sed or a known behavior from sed nor =
if it is considered a security issue.</div><div><br></div><div>On the test,=
 I was able to &quot;write&quot; in a file that the permission is 400 the o=
nly way to &quot;avoid it&quot;=C2=A0is to alter=C2=A0the permission to 000=
.</div><div><br></div><div>Using setfacl or other means to manipulate the p=
ermission level was not effective.</div><div><br></div><div>If this is a kn=
own issue from sed, from internal sed &quot;working way&quot; or it was alr=
eady fixed in newer versions please do not consider this message.</div><div=
><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</div><div>sed =
--version</div>sed (GNU sed) 4.7<br>Packaged by Debian<br>Copyright (C) 201=
8 Free Software Foundation, Inc.<br>License GPLv3+: GNU GPL version 3 or la=
ter &lt;<a href=3D"https://gnu.org/licenses/gpl.html">https://gnu.org/licen=
ses/gpl.html</a>&gt;.<br>This is free software: you are free to change and =
redistribute it.<br>There is NO WARRANTY, to the extent permitted by law.<b=
r><br>Written by Jay Fenlason, Tom Lord, Ken Pizzini,<br>Paolo Bonzini, Jim=
 Meyering, and Assaf Gordon.<br>GNU sed home page: &lt;<a href=3D"https://w=
ww.gnu.org/software/sed/">https://www.gnu.org/software/sed/</a>&gt;.<br>Gen=
eral help using GNU software: &lt;<a href=3D"https://www.gnu.org/gethelp/">=
https://www.gnu.org/gethelp/</a>&gt;.<br>E-mail bug reports to: &lt;<a href=
=3D"mailto:bug-sed@gnu.org">bug-sed@gnu.org</a>&gt;<br></div>

--0000000000008438ce05f0fa4474--