about #290507, possible security bug

James Vega jamessan at jamessan.com
Thu Dec 15 05:39:39 UTC 2005


On Wed, Dec 14, 2005 at 12:22:06AM +0100, Stefano Zacchiroli wrote:
> Quoting from the bug report:
> 
> > Vim does not close temporary file (.file.swp) when executing shell, so
> > program executed in shell can read and write from/to that file, even
> > if It is not possible with normal command invocation. Not sure wheter
> > it is really recurity problem though.
> 
> Do you think this is a security issue?
> 
> I'm hardly a security expert but I can't see how it can be. Everything
> that can be done in the vim interactive shell on the .swp file could
> have been done on the original file not being inside vim. The only risk
> I can imagine is if the .swp file contain sensible information, but
> according to the vim documentation it is not the case.

The reason I believe the submitter classified it as a security bug is
because he is modifying the swapfile (owned by root) as a non-root user.
I was able to reproduce this, but I'm not sure if it is possible to
perform said modification outside of the shell (and su shell) invoked
from Vim.  It may be worthwhile asking Bram to close the swapfile's file
descriptor before invoking a shell just to be on the safe side.

James
-- 
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at jamessan.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20051215/5747ebb0/attachment.pgp


More information about the pkg-vim-maintainers mailing list