about #290507, possible security bug

Stefano Zacchiroli zack at debian.org
Tue Dec 13 23:22:06 UTC 2005


Quoting from the bug report:

> Vim does not close temporary file (.file.swp) when executing shell, so
> program executed in shell can read and write from/to that file, even
> if It is not possible with normal command invocation. Not sure wheter
> it is really recurity problem though.

Do you think this is a security issue?

I'm hardly a security expert but I can't see how it can be. Everything
that can be done in the vim interactive shell on the .swp file could
have been done on the original file not being inside vim. The only risk
I can imagine is if the .swp file contain sensible information, but
according to the vim documentation it is not the case.

If you agree with me that this is not a security issue, I hardly can see
how this can be considered a bug at all ...

-- 
Stefano Zacchiroli -*- Computer Science PhD student @ Uny Bologna, Italy
zack@{cs.unibo.it,debian.org,bononia.it} -%- http://www.bononia.it/zack/
If there's any real truth it's that the entire multidimensional infinity
of the Universe is almost certainly being run by a bunch of maniacs. -!-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20051214/ecd1bc94/attachment.pgp


More information about the pkg-vim-maintainers mailing list