oss-sec mailing list archives
Re: Re: Fw: Security risk of vim swap files
From: Nick Bowler <nbowler () draconx ca>
Date: Fri, 3 Nov 2017 14:14:11 -0400
On 2017-11-03, Scott Court <z5t1 () z5t1 com> wrote:
I have refined the vimrc changes that I originally posted (with the help of Christian) and have found appending the following to your vimrc be a decent way to mitigate against all known forms of this attack until a proper patch is released: " Move the swap file location to protect against CVE-2017-1000382 " More information at http://security.cucumberlinux.com/security/details.php?id=120 " A big thanks goes to Christian Brabandt (cb () 256bit org) " for helping with this fix. if ! isdirectory("~/.vim/swap/") silent !install -d -m 700 ~/.vim/swap/ 2>&1 > /dev/null endif set directory=~/.vim/swap// The only drawback to this approach is that it eliminates the warning when multiple users attempt to edit the same file at the same time; however, this seems preferable to the alternative of being vulnerable.
This is not the "only drawback". Among other things, such configuration fails very badly when network mounts are involved. - If the swap directory is shared between multiple hosts (e.g., $HOME is NFS-mounted), then you will get false positives when editing files that happen to share a filename on different hosts. - If the file being edited is shared between multiple hosts, then you will get false negatives when trying to edit that file from different hosts. Or a combination of the two scenarios. In the default mode, network mounts basically work as expected because the swapfile location is shared the same way. Cheers, Nick
Current thread:
- Re: Fw: Security risk of vim swap files, (continued)
- Re: Fw: Security risk of vim swap files Kurt Seifried (Oct 31)
- Re: Fw: Security risk of vim swap files Jan Pokorný (Nov 01)
- Re: Fw: Security risk of vim swap files Matthias Weckbecker (Nov 21)
- Re: Fw: Security risk of vim swap files Z5T1 (Nov 01)
- Re: Re: Fw: Security risk of vim swap files Michael Orlitzky (Nov 01)
- Re: Re: Fw: Security risk of vim swap files Florent Rougon (Nov 01)
- Re: Re: Fw: Security risk of vim swap files Michael Orlitzky (Nov 01)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 02)
- Re: Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 02)
- Re: Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 03)
- Re: Re: Fw: Security risk of vim swap files Scott Court (Nov 03)
- Re: Re: Fw: Security risk of vim swap files Nick Bowler (Nov 03)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 03)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 03)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 05)
- Re: Fw: Security risk of vim swap files Solar Designer (Nov 05)
- Re: Fw: Security risk of vim swap files Scott Court (Nov 05)
- Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 05)
- Re: Fw: Security risk of vim swap files Seth Arnold (Nov 06)
- Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 07)
- Re: Fw: Security risk of vim swap files Kurt Seifried (Oct 31)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 06)
- Re: Fw: Security risk of vim swap files Solar Designer (Nov 06)