Skip to content

Avoid TOCTOU in linenoiseHistorySave #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Avoid TOCTOU in linenoiseHistorySave #202

wants to merge 1 commit into from

Conversation

disconnect3d
Copy link

Before this commit the linenoiseHistorySave performed fopen(filename, ...) and chmod(filename, ...) and this creates a time of use vs time of check vulnerability.

I have not checked whether this can be exploited, but the fix is trivial here: we can just use fchmod with the opened file descriptor and this is what this commit changes :).

Btw this was found with https://codeql.github.com/ and its https://codeql.github.com/codeql-query-help/cpp/cpp-toctou-race-condition/ rule when scanning a bigger project that used linenoise as a dependency.

@disconnect3d
Avoid TOCTOU in linenoiseHistorySave
78f439a 
Before this commit the `linenoiseHistorySave` performed `fopen(filename, ...)` and `chmod(filename, ...)` and this creates a time of use vs time of check vulnerability.

I have not checked whether this can be exploited, but the fix is trivial here: we can just use `fchmod` with the opened file descriptor and this is what this commit changes :).

Btw this was found with https://codeql.github.com/ and its https://codeql.github.com/codeql-query-help/cpp/cpp-toctou-race-condition/ rule when scanning a bigger project that used linenoise as a dependency.
@disconnect3d disconnect3d reopened this Mar 13, 2022
@simkca
Copy link

simkca commented Sep 1, 2025

Hello,

We have reviewed this pull request as part of a security assessment and confirmed that the issue it describes has security implications. It has now been assigned a CVE ID:

CVE-2025-9810: TOCTOU race in linenoiseHistorySave() allows local attackers to overwrite arbitrary files and change permissions via a symlink attack.

Summary:
linenoiseHistorySave() opens the history file with fopen("w") and later calls chmod() on the same path. An attacker can race a symlink between these operations: first pointing it to a sensitive file at open, then switching it before chmod. This results in arbitrary file overwrite or permission changes. Downstream consumers (e.g., redis-cli) are affected as well.

Impact:
Arbitrary file overwrite with process privileges
Unintended permission changes on unrelated files
History file confidentiality bypass

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@disconnect3d @simkca