Re: Re: Security risk of server side text editing ...

[Scott Court <z5t1 () z5t1 com>]

This has been assigned CVE-2017-17087
> >     2. Vim .swp file group (Doesn't have a CVE ID)
> >
> > This vulnerability was discovered by me. When Vim creates a .swp file,
> > the .swp file is created with the owner and group set to the editor and
> > editor's primary group respectively. The .swp file is the set to the
> > same permissions as the original file (i.e. chmod 640). This creates a
> > security vulnerability when the editor's primary group is not the same
> > as the original file's group.
> >
> > For example, say the root user's primary group is "users", which every
> > user is a member of. If root goes to edit /etc/shadow, the
> > /etc/.shadow.swp file is created with permissions 640 and user:group set
> > to root:users. The original /etc/shadow file had user:group set to
> > root:shadow though; this now exposes the /etc/shadow file (which mind
> > you contains hashes of every user's password) to every user on the system.
> >
> > Originally, I thought this was an extension of CVE-2017-1000382 so I
> > didn't bother trying to get a CVE ID for it; however, upon looking at it
> > for a second time, it seems that this is indeed a different
> > vulnerability. It is possible to patch this vulnerability without
> > patching CVE-2017-1000382.

Attachment: signature.asc
Description: OpenPGP digital signature