Re: Re: Fw: Security risk of vim swap files

[Kurt Seifried <kseifried () redhat com>]

On Thu, Nov 2, 2017 at 3:29 PM, Christian Brabandt <cb () 256bit org> wrote:

> Kurt Seifried wrote:
>
> > There is a flaw here, it appears on some distros that vim (and emacs)
> will
> > ignore a user's umask and go with less restrictive file permissions
> > (ideally you think vi would use the files existing perms, plus any umask
> > limitations as expected), for example vim failing:
> >
> > [kseifrie@...alhost vi]$ umask
> > 0007
> > [kseifrie@...alhost vi]$ touch foo
> > [kseifrie@...alhost vi]$ ls -la
> > total 8
> > drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
> > drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
> > -rw-rw----.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
> > [kseifrie@...alhost vi]$ chmod o+r foo
> > [kseifrie@...alhost vi]$ ls -la
> > total 8
> > drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
> > drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
> > -rw-rw-r--.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
> > [kseifrie@...alhost vi]$ vi foo
> >
> > in another terminal:
> >
> > [kseifrie@...alhost vi]$ ls -la
> > total 12
> > drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
> > drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
> > -rw-rw-r--.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
> > -rw-r--r--.  1 kseifrie kseifrie 4096 Oct 31 10:50 .foo.swp
> >
> > So vim ignores the umask of the user =(.
>
> > So from a CVE perspective we have a situation where a user has explicitly
> > set a umask (of say 0007) which is to say they've made a security
> assertion
> > of "any file I create I want the rwx permissions for "other" removed"
> which
> > vim and emacs (and possibly others) are violating when they create swap
> > files/backups/whatever. To add insult to injury most other utilities that
> > create a file (e.g. cp, cat, dd) seem to respect umask.
> >
> > Please use CVE-2017-1000382 for VIM version 8.0.1187 (and other versions
> > most likely) ignores umask when creating a swap file
> > (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world
> readable
> > or otherwise accessible in ways not intended by the user running the vi
> > binary.
>
> Vim copies the permission from the file being edited. Although the swap
> file is readable by others this does not leak any information here,
> since the file being edited is already readable by others.
>
> Christian

That's usually true but it doesn't matter because a security assertion made
via umask is being violated, so it wins a CVE. Also for example if you
later delete that file and think you're safe the copy is still floating
around world readable. Or you have something indexing the files and
ignoring that file type, and the .swp gets indexed, and so on.

-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com