oss-sec mailing list archives
Re: Security risk of server side text editing in general and vim.tiny specifically
From: Solar Designer <solar () openwall com>
Date: Mon, 13 Nov 2017 15:53:36 +0100
On Fri, Nov 03, 2017 at 11:07:14AM +0000, Fiedler Roman wrote:
PS: POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user root when editing file in directory owned by other user is available on request, disclosure after one week or if list discussion indicates other timing.
Please post this PoC in here ASAP. Right now, you're in violation of distros list policy for having posted the PoC in there yet not made it public on oss-security within 7 days after posting about the issue itself in here. Please correct this. (To me this is also an example of misuse of the distros list, and then of the ability to delay posting the PoC - creating administrative work for all of us out of thin air.) The policy: http://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters "If you shared exploit(s) that are not an essential part of the issue description, then at your option you may slightly delay posting them to oss-security but you must post the exploits to oss-security within at most 7 days" Also, it looks like Gentoo and Amazon failed to track this and remind you on November 10. They should have, as per: http://oss-security.openwall.org/wiki/mailing-lists/distros#contributing-back "12. If exploit(s) were shared on the list, make sure that either they're included in the oss-security posting along with the issue detail or the posting includes an announcement of planned later posting of the exploits (with the delay being within list policy), and in the latter case also make sure that the later posting is in fact made as planned, and remind the reporter if not - primary: Gentoo, backup: Amazon" So at least this worked as an almost failed test of our handling of this little administrative task. Maybe on some other occasion it would be actually important, so let's debug and fix it now. Alexander
Current thread:
- Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Jakub Wilk (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Ian Zimmerman (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 04)
- Re: nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Daniel Micay (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: Re: Security risk of server side text editing in general and vim.tiny specifically Christos Zoulas (Nov 03)
- AW: Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 06)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 13)
- AW: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 13)
- <Possible follow-ups>
- Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Leonid Isaev (Nov 05)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)