Date: Mon, 27 Nov 2017 21:01:48 +0000 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Re: Security risk of server side text editing ... On Mon, 27 Nov 2017 at 14:10:54 -0500, Scott Court wrote: > 3. Vim.tiny race condition (Doesn't have a CVE ID as far as I know) > > I'm not quite sure who discovered this vulnerability (I don't use or follow > vim.tiny) It's just a particular binary build of vim. The vim Debian source package builds vim several times with different options: vim.tiny is the smallest, with no GUI and no Perl/Python/Ruby/Lua bindings. Fedora /bin/vi is a similar small vim build. I would be quite surprised if there are any vulnerabilities in vim.tiny that aren't also present in the larger builds like vim.gtk3. In particular, swap file handling and its interaction with setuid are almost certainly the same in all builds of the same vim source code. smcv
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ