Bug#463530: vim-tiny: default viminfo option might leak sensitive information.
giuseppe bonacci
g.bonacci at libero.it
Fri Feb 1 09:37:42 UTC 2008
Package: vim-tiny
Version: 1:7.0-122+1etch3
Severity: normal
with the default (upstream) settings for the viminfo option, vim saves the
contents of up to 50 buffers (including the unnamed buffer) in ~/.viminfo.
if one user doesn't know about the .viminfo file (which is very likely),
she can for example edit a file containing sensitive information, cut and
paste several times, then save the file, encrypt it with gpg, remove (shred)
the cleartext file, and believe her information is completely safe, while
in fact it's readable to anybody having read access to ~/.viminfo, e.g.
the superuser on her system, or someone who stole the usb key where she
backed up her home directory.
the same danger exists for other information, such as gpg and ssh private
keys, but these can be proected by a passphrase (strongly recommended).
best regards,
-- giuseppe
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages vim-tiny depends on:
ii libc6 2.3.6.ds1-13etch4 GNU C Library: Shared libraries
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii vim-common 1:7.0-122+1etch3 Vi IMproved - Common files
vim-tiny recommends no packages.
-- no debconf information
More information about the pkg-vim-maintainers
mailing list