Bug#463530: vim-tiny: default viminfo option might leak sensitive information.

giuseppe bonacci g.bonacci at libero.it
Fri Feb 1 09:37:42 UTC 2008


Package: vim-tiny
Version: 1:7.0-122+1etch3
Severity: normal


with the default (upstream) settings for the viminfo option, vim saves the
contents of up to 50 buffers (including the unnamed buffer) in ~/.viminfo.

if one user doesn't know about the .viminfo file (which is very likely),
she can for example edit a file containing sensitive information, cut and
paste several times, then save the file, encrypt it with gpg, remove (shred)
the cleartext file, and believe her information is completely safe, while
in fact it's readable to anybody having read access to ~/.viminfo, e.g.
the superuser on her system, or someone who stole the usb key where she
backed up her home directory.

the same danger exists for other information, such as gpg and ssh private
keys, but these can be proected by a passphrase (strongly recommended).

best regards,
-- giuseppe


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages vim-tiny depends on:
ii  libc6                  2.3.6.ds1-13etch4 GNU C Library: Shared libraries
ii  libncurses5            5.5-5             Shared libraries for terminal hand
ii  vim-common             1:7.0-122+1etch3  Vi IMproved - Common files

vim-tiny recommends no packages.

-- no debconf information





More information about the pkg-vim-maintainers mailing list