Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 1 Dec 2017 09:57:19 -0500
From: Scott Court <z5t1@...1.com>
To: Bram Moolenaar <Bram@...lenaar.net>
Cc: Kurt Seifried <kseifrie@...hat.com>, oss-security@...ts.openwall.com,
 vim_dev@...glegroups.com
Subject: Re: Re: Security risk of server side text editing ...

This has been assigned CVE-2017-17087
>>     2. Vim .swp file group (Doesn't have a CVE ID)
>>
>> This vulnerability was discovered by me. When Vim creates a .swp file,
>> the .swp file is created with the owner and group set to the editor and
>> editor's primary group respectively. The .swp file is the set to the
>> same permissions as the original file (i.e. chmod 640). This creates a
>> security vulnerability when the editor's primary group is not the same
>> as the original file's group.
>>
>> For example, say the root user's primary group is "users", which every
>> user is a member of. If root goes to edit /etc/shadow, the
>> /etc/.shadow.swp file is created with permissions 640 and user:group set
>> to root:users. The original /etc/shadow file had user:group set to
>> root:shadow though; this now exposes the /etc/shadow file (which mind
>> you contains hashes of every user's password) to every user on the system.
>>
>> Originally, I thought this was an extension of CVE-2017-1000382 so I
>> didn't bother trying to get a CVE ID for it; however, upon looking at it
>> for a second time, it seems that this is indeed a different
>> vulnerability. It is possible to patch this vulnerability without
>> patching CVE-2017-1000382.
>




Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ