When sed is invoked with both -i (in-place edit) and –follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:
- resolves symlink to its target and stores the resolved path for determining when output is written,
- opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.
This issue was fixed in version 4.10.
Weakness
The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Hardened Images | RedHat | sed-main-4.10-1.hum1 | * |
| Sed | Ubuntu | devel | * |
| Sed | Ubuntu | esm-infra/bionic | * |
| Sed | Ubuntu | esm-infra/focal | * |
| Sed | Ubuntu | esm-infra/xenial | * |
| Sed | Ubuntu | jammy | * |
| Sed | Ubuntu | noble | * |
| Sed | Ubuntu | questing | * |
| Sed | Ubuntu | resolute | * |