oss-sec mailing list archives
Re: Re: Security risk of server side text editing ...
From: Simon McVittie <smcv () debian org>
Date: Mon, 27 Nov 2017 21:01:48 +0000
On Mon, 27 Nov 2017 at 14:10:54 -0500, Scott Court wrote:
3. Vim.tiny race condition (Doesn't have a CVE ID as far as I know) I'm not quite sure who discovered this vulnerability (I don't use or follow vim.tiny)
It's just a particular binary build of vim. The vim Debian source package
builds vim several times with different options: vim.tiny is the
smallest, with no GUI and no Perl/Python/Ruby/Lua bindings.
Fedora /bin/vi is a similar small vim build.
I would be quite surprised if there are any vulnerabilities in vim.tiny
that aren't also present in the larger builds like vim.gtk3.
In particular, swap file handling and its interaction with setuid are
almost certainly the same in all builds of the same vim source code.
smcv
Current thread:
- Re: Security risk of server side text editing ... Bram Moolenaar (Nov 17)
- Re: Security risk of server side text editing ... Solar Designer (Nov 22)
- Re: Re: Security risk of server side text editing ... Kurt Seifried (Nov 22)
- Re: Re: Security risk of server side text editing ... Scott Court (Nov 27)
- Re: Security risk of server side text editing ... Solar Designer (Nov 27)
- Re: Security risk of server side text editing ... Bram Moolenaar (Nov 28)
- Re: Re: Security risk of server side text editing ... Simon McVittie (Nov 27)
- Re: Re: Security risk of server side text editing ... Bram Moolenaar (Nov 28)
- Re: Re: Security risk of server side text editing ... Leonid Isaev (Nov 28)
- Re: Re: Security risk of server side text editing ... Scott Court (Dec 01)
- Re: Re: Security risk of server side text editing ... Kurt Seifried (Nov 22)
- Re: Security risk of server side text editing ... Solar Designer (Nov 22)