Date: Fri, 3 Nov 2017 13:03:57 -0400 From: Scott Court <z5t1@...1.com> To: oss-security@...ts.openwall.com Subject: Re: Re: Fw: Security risk of vim swap files I pointed this out yesterday on the Vim mailing list. It is currently being discussed there (https://groups.google.com/forum/#!topic/vim_dev/sRT9BtjLWMk). Some people are calling for more restrictive permissions on .swp files; however, I believe that using a separate directory for .swp files is the best solution for a multitude of reasons I've discussed here and there. I have refined the vimrc changes that I originally posted (with the help of Christian) and have found appending the following to your vimrc be a decent way to mitigate against all known forms of this attack until a proper patch is released: " Move the swap file location to protect against CVE-2017-1000382 " More information at http://security.cucumberlinux.com/security/details.php?id=120 " A big thanks goes to Christian Brabandt (cb@...bit.org) " for helping with this fix. if ! isdirectory("~/.vim/swap/") silent !install -d -m 700 ~/.vim/swap/ 2>&1 > /dev/null endif set directory=~/.vim/swap// The only drawback to this approach is that it eliminates the warning when multiple users attempt to edit the same file at the same time; however, this seems preferable to the alternative of being vulnerable. On 11/03/2017 12:39 PM, Jakub Wilk wrote: > * Christian Brabandt <cb@...bit.org>, 2017-11-02, 22:29: >> Vim copies the permission from the file being edited. Although the >> swap file is readable by others this does not leak any information >> here, since the file being edited is already readable by others. > > In general, what vim does (copying mode bits) in not enough to ensure > that the swapfile is readable only by the users who had access to the > original file. It would have to copy also group ownership and ACLs. > > Also, keep in mind how this thread started. Somebody edited > wp-config.php, which was readable by the web server, of course; then > vim created .wp-config.php.swp with the same-ish permissions, which > made the file readable to the whole (external) world. Oops. > Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.