oss-sec mailing list archives

Re: Fw: Security risk of vim swap files

From: Christian Brabandt <cb () 256bit org>
Date: Thu, 2 Nov 2017 22:29:16 +0100

Kurt Seifried wrote:

There is a flaw here, it appears on some distros that vim (and emacs) will
ignore a user's umask and go with less restrictive file permissions
(ideally you think vi would use the files existing perms, plus any umask
limitations as expected), for example vim failing:

[kseifrie@...alhost vi]$ umask
0007
[kseifrie@...alhost vi]$ touch foo
[kseifrie@...alhost vi]$ ls -la
total 8
drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
-rw-rw----.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
[kseifrie@...alhost vi]$ chmod o+r foo
[kseifrie@...alhost vi]$ ls -la
total 8
drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
-rw-rw-r--.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
[kseifrie@...alhost vi]$ vi foo

in another terminal:

[kseifrie@...alhost vi]$ ls -la
total 12
drwxrwxr-x.  2 kseifrie kseifrie 4096 Oct 31 10:50 .
drwx--x---. 27 kseifrie kseifrie 4096 Oct 31 10:42 ..
-rw-rw-r--.  1 kseifrie kseifrie    0 Oct 31 10:50 foo
-rw-r--r--.  1 kseifrie kseifrie 4096 Oct 31 10:50 .foo.swp

So vim ignores the umask of the user =(.

So from a CVE perspective we have a situation where a user has explicitly
set a umask (of say 0007) which is to say they've made a security assertion
of "any file I create I want the rwx permissions for "other" removed" which
vim and emacs (and possibly others) are violating when they create swap
files/backups/whatever. To add insult to injury most other utilities that
create a file (e.g. cp, cat, dd) seem to respect umask.

Please use CVE-2017-1000382 for VIM version 8.0.1187 (and other versions
most likely) ignores umask when creating a swap file
(\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable
or otherwise accessible in ways not intended by the user running the vi
binary.


Vim copies the permission from the file being edited. Although the swap 
file is readable by others this does not leak any information here, 
since the file being edited is already readable by others.

Christian

Current thread:

Re: Security risk of vim swap files, (continued)
- - - Re: Security risk of vim swap files Solar Designer (Nov 06)
    - Re: Security risk of vim swap files Jakub Wilk (Nov 06)
    - Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 01)
    - Re: Fw: Security risk of vim swap files Leonid Isaev (Nov 01)
- Re: Fw: Security risk of vim swap files Kurt Seifried (Oct 31)
  - Re: Fw: Security risk of vim swap files Jan Pokorný (Nov 01)
- Re: Fw: Security risk of vim swap files Matthias Weckbecker (Nov 21)
- Re: Fw: Security risk of vim swap files Z5T1 (Nov 01)
  - Re: Re: Fw: Security risk of vim swap files Michael Orlitzky (Nov 01)
    - Re: Re: Fw: Security risk of vim swap files Florent Rougon (Nov 01)
- Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 02)
  - Re: Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 02)
  - Re: Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 03)
    - Re: Re: Fw: Security risk of vim swap files Scott Court (Nov 03)
    - Re: Re: Fw: Security risk of vim swap files Nick Bowler (Nov 03)
    - Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 03)
    - Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 03)
    - Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 05)
    - Re: Fw: Security risk of vim swap files Solar Designer (Nov 05)
    - Re: Fw: Security risk of vim swap files Scott Court (Nov 05)
    - Re: Fw: Security risk of vim swap files Kurt Seifried (Nov 05)

(Thread continues...)