Fix for CVE-2017-17087
Issue: Others can read the swap file if a user is careless with his
primary group.
Solution: If the group permission allows for reading but the world
permissions doesn't, make sure the group is right.
CVE-2017-1000382
The change to the /etc/vimrc file has been refined since this report was
originally published with the help of Christian Brabandt (cb@256bit.org). The
final modification to /etc/vimrc which ultimately prevents this attack
Change-Id: I1dab6d4f6ac06b2f73b27909d7a7905592a6e65a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5348
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,52 @@ |
0 |
+From 5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Bram Moolenaar <Bram@vim.org> |
|
2 |
+Date: Sat, 4 Nov 2017 21:35:01 +0100 |
|
3 |
+Subject: [PATCH] patch 8.0.1263: others can read the swap file if a user is |
|
4 |
+ careless |
|
5 |
+ |
|
6 |
+Problem: Others can read the swap file if a user is careless with his |
|
7 |
+ primary group. |
|
8 |
+Solution: If the group permission allows for reading but the world |
|
9 |
+ permissions doesn't, make sure the group is right. |
|
10 |
+--- |
|
11 |
+ src/Makefile | 1 + |
|
12 |
+ src/fileio.c | 24 +++++++++- |
|
13 |
+ src/testdir/test_swap.vim | 112 ++++++++++++++++++++++++++++++---------------- |
|
14 |
+ src/version.c | 2 + |
|
15 |
+ 4 files changed, 99 insertions(+), 40 deletions(-) |
|
16 |
+ |
|
17 |
+diff --git a/src/fileio.c b/src/fileio.c |
|
18 |
+index 87b85cf..34dcdb6 100644 |
|
19 |
+--- a/src/fileio.c |
|
20 |
+@@ -716,7 +716,29 @@ readfile( |
|
21 |
+ /* Set swap file protection bits after creating it. */ |
|
22 |
+ if (swap_mode > 0 && curbuf->b_ml.ml_mfp != NULL |
|
23 |
+ && curbuf->b_ml.ml_mfp->mf_fname != NULL) |
|
24 |
+- (void)mch_setperm(curbuf->b_ml.ml_mfp->mf_fname, (long)swap_mode); |
|
25 |
++ { |
|
26 |
++ char_u *swap_fname = curbuf->b_ml.ml_mfp->mf_fname; |
|
27 |
++ |
|
28 |
++ /* |
|
29 |
++ * If the group-read bit is set but not the world-read bit, then |
|
30 |
++ * the group must be equal to the group of the original file. If |
|
31 |
++ * we can't make that happen then reset the group-read bit. This |
|
32 |
++ * avoids making the swap file readable to more users when the |
|
33 |
++ * primary group of the user is too permissive. |
|
34 |
++ */ |
|
35 |
++ if ((swap_mode & 044) == 040) |
|
36 |
++ { |
|
37 |
++ stat_T swap_st; |
|
38 |
++ |
|
39 |
++ if (mch_stat((char *)swap_fname, &swap_st) >= 0 |
|
40 |
++ && st.st_gid != swap_st.st_gid |
|
41 |
++ && fchown(curbuf->b_ml.ml_mfp->mf_fd, -1, st.st_gid) |
|
42 |
++ == -1) |
|
43 |
++ swap_mode &= 0600; |
|
44 |
++ } |
|
45 |
++ |
|
46 |
++ (void)mch_setperm(swap_fname, (long)swap_mode); |
|
47 |
++ } |
|
48 |
+ #endif |
|
49 |
+ } |
|
50 |
+ |
... | ... |
@@ -3,7 +3,7 @@ |
3 | 3 |
Summary: Text editor |
4 | 4 |
Name: vim |
5 | 5 |
Version: 8.0.0533 |
6 |
-Release: 3%{?dist} |
|
6 |
+Release: 4%{?dist} |
|
7 | 7 |
License: Charityware |
8 | 8 |
URL: http://www.vim.org |
9 | 9 |
Group: Applications/Editors |
... | ... |
@@ -12,6 +12,7 @@ Distribution: Photon |
12 | 12 |
Source0: %{name}-%{version}.tar.gz |
13 | 13 |
%define sha1 vim=6169cece15cb139db3ceff9c9ba2bf74013b1e02 |
14 | 14 |
BuildRequires: ncurses-devel |
15 |
+Patch0: CVE-2017-17087.patch |
|
15 | 16 |
|
16 | 17 |
%description |
17 | 18 |
The Vim package contains a powerful text editor. |
... | ... |
@@ -26,6 +27,8 @@ The vim extra package contains a extra files for powerful text editor. |
26 | 26 |
|
27 | 27 |
%prep |
28 | 28 |
%setup -q |
29 |
+%patch0 -p1 |
|
30 |
+ |
|
29 | 31 |
echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h |
30 | 32 |
%build |
31 | 33 |
./configure \ |
... | ... |
@@ -56,7 +59,12 @@ nmap <F10> :q!<CR> |
56 | 56 |
nmap <Esc><Esc> :q<CR> |
57 | 57 |
" Use 4 space characters instead of tab for python files |
58 | 58 |
au BufEnter,BufNew *.py set tabstop=4 shiftwidth=4 expandtab |
59 |
- |
|
59 |
+" Move the swap file location to protect against CVE-2017-1000382 |
|
60 |
+" More information at http://security.cucumberlinux.com/security/details.php?id=120 |
|
61 |
+if ! isdirectory("~/.vim/swap/") |
|
62 |
+ call system('install -d -m 700 ~/.vim/swap') |
|
63 |
+endif |
|
64 |
+set directory=~/.vim/swap// |
|
60 | 65 |
" End /etc/vimrc |
61 | 66 |
EOF |
62 | 67 |
|
... | ... |
@@ -165,6 +173,8 @@ make test |
165 | 165 |
%{_bindir}/vimdiff |
166 | 166 |
|
167 | 167 |
%changelog |
168 |
+* Tue Jul 10 2018 Tapas Kundu <tkundu@vmware.com> 8.0.0533-4 |
|
169 |
+- Fix for CVE-2017-17087 and CVE-2017-1000382. |
|
168 | 170 |
* Mon Aug 14 2017 Chang Lee <changlee@vmware.com> 8.0.0533-3 |
169 | 171 |
- Disabled Test_recover_root_dir in %check |
170 | 172 |
* Tue May 02 2017 Anish Swaminathan <anishs@vmware.com> 8.0.0533-2 |