------------------------------------------------------------------------
BCSA 012
Badly Coded, Inc. Security Advisory                    October 9th, 2017
------------------------------------------------------------------------
BCSA-012: TOCTTOU vulnerability in sudobcvi file saving

Affected versions: 1.3 and earlier
Fixed versions: 1.4 and later

In versions of BCVI prior to 1.4, the setuid-root sudobcvi executable
checked whether the user has permission to edit a file only when the
file was first opened; no permissions checks were performed when an
edited file was saved. This lack of checking meant that sudobcvi could
overwrite other files if the filename reference changed, for instance
allowing critical system files to be changed by an unprivileged local
attacker. In version 1.4, BCVI has been changed to keep the file being
edited open, ensuring that the file that is replaced when a buffer is
the saved is the same one the buffer contents were originally read
from. We would like to acknowledge a number of students from the
University of Minnesota's Computer Science and Engineering 5271 course
who reported this vulnerability.

We have also received scattered reports of crashes and a possible
security vulnerability related to calls to read_line() overflowing the
line_buf buffer in redraw(). Though we have not been able to confirm a
bug in the read_line() function, we have increased the size of the
buffer concerned.

All BCVI users are recommended to upgrade at their earliest
convenience.