Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 1 Dec 2017 09:57:19 -0500
From: Scott Court <z5t1@...1.com>
To: Bram Moolenaar <Bram@...lenaar.net>
Cc: Kurt Seifried <kseifrie@...hat.com>, oss-security@...ts.openwall.com,
 vim_dev@...glegroups.com
Subject: Re: Re: Security risk of server side text editing ...

This has been assigned CVE-2017-17087
>>     2. Vim .swp file group (Doesn't have a CVE ID)
>>
>> This vulnerability was discovered by me. When Vim creates a .swp file,
>> the .swp file is created with the owner and group set to the editor and
>> editor's primary group respectively. The .swp file is the set to the
>> same permissions as the original file (i.e. chmod 640). This creates a
>> security vulnerability when the editor's primary group is not the same
>> as the original file's group.
>>
>> For example, say the root user's primary group is "users", which every
>> user is a member of. If root goes to edit /etc/shadow, the
>> /etc/.shadow.swp file is created with permissions 640 and user:group set
>> to root:users. The original /etc/shadow file had user:group set to
>> root:shadow though; this now exposes the /etc/shadow file (which mind
>> you contains hashes of every user's password) to every user on the system.
>>
>> Originally, I thought this was an extension of CVE-2017-1000382 so I
>> didn't bother trying to get a CVE ID for it; however, upon looking at it
>> for a second time, it seems that this is indeed a different
>> vulnerability. It is possible to patch this vulnerability without
>> patching CVE-2017-1000382.
>




Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.