Date: Fri, 1 Dec 2017 09:57:19 -0500 From: Scott Court <z5t1@...1.com> To: Bram Moolenaar <Bram@...lenaar.net> Cc: Kurt Seifried <kseifrie@...hat.com>, oss-security@...ts.openwall.com, vim_dev@...glegroups.com Subject: Re: Re: Security risk of server side text editing ... This has been assigned CVE-2017-17087 >> 2. Vim .swp file group (Doesn't have a CVE ID) >> >> This vulnerability was discovered by me. When Vim creates a .swp file, >> the .swp file is created with the owner and group set to the editor and >> editor's primary group respectively. The .swp file is the set to the >> same permissions as the original file (i.e. chmod 640). This creates a >> security vulnerability when the editor's primary group is not the same >> as the original file's group. >> >> For example, say the root user's primary group is "users", which every >> user is a member of. If root goes to edit /etc/shadow, the >> /etc/.shadow.swp file is created with permissions 640 and user:group set >> to root:users. The original /etc/shadow file had user:group set to >> root:shadow though; this now exposes the /etc/shadow file (which mind >> you contains hashes of every user's password) to every user on the system. >> >> Originally, I thought this was an extension of CVE-2017-1000382 so I >> didn't bother trying to get a CVE ID for it; however, upon looking at it >> for a second time, it seems that this is indeed a different >> vulnerability. It is possible to patch this vulnerability without >> patching CVE-2017-1000382. > Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ