Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 2 Nov 2017 22:29:16 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: Re: Fw: Security risk of vim swap files

Kurt Seifried wrote:

> There is a flaw here, it appears on some distros that vim (and emacs) will
> ignore a user's umask and go with less restrictive file permissions
> (ideally you think vi would use the files existing perms, plus any umask
> limitations as expected), for example vim failing:
> 
> [kseifrie@...alhost vi]$ umask
> 0007
> [kseifrie@...alhost vi]$ touch foo
> [kseifrie@...alhost vi]$ ls -la
> total 8
> drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
> drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
> -rw-rw----.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
> [kseifrie@...alhost vi]$ chmod o+r foo
> [kseifrie@...alhost vi]$ ls -la
> total 8
> drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
> drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
> -rw-rw-r--.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
> [kseifrie@...alhost vi]$ vi foo
> 
> in another terminal:
> 
> [kseifrie@...alhost vi]$ ls -la
> total 12
> drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
> drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
> -rw-rw-r--.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
> -rw-r--r--.  1 kseifrie kseifrie 4096 Oct 31 10:50 .foo.swp
> 
> So vim ignores the umask of the user =(.

> So from a CVE perspective we have a situation where a user has explicitly
> set a umask (of say 0007) which is to say they've made a security assertion
> of "any file I create I want the rwx permissions for "other" removed" which
> vim and emacs (and possibly others) are violating when they create swap
> files/backups/whatever. To add insult to injury most other utilities that
> create a file (e.g. cp, cat, dd) seem to respect umask.
> 
> Please use CVE-2017-1000382 for VIM version 8.0.1187 (and other versions
> most likely) ignores umask when creating a swap file
> (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable
> or otherwise accessible in ways not intended by the user running the vi
> binary.

Vim copies the permission from the file being edited. Although the swap 
file is readable by others this does not leak any information here, 
since the file being edited is already readable by others.

Christian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.