Browse code
Fix for CVE-2017-17087 and CVE-2017-1000382
Fix for CVE-2017-17087
Issue: Others can read the swap file if a user is careless with his
primary group.
Solution: If the group permission allows for reading but the world
permissions doesn't, make sure the group is right.
CVE-2017-1000382
The change to the /etc/vimrc file has been refined since this report was
originally published with the help of Christian Brabandt (cb@256bit.org). The
final modification to /etc/vimrc which ultimately prevents this attack
Change-Id: I1dab6d4f6ac06b2f73b27909d7a7905592a6e65a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5348
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Tapas Kundu authored on 2018/07/13 02:05:27Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,52 @@ |
| 0 |
+From 5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Bram Moolenaar <Bram@vim.org> |
|
| 2 |
+Date: Sat, 4 Nov 2017 21:35:01 +0100 |
|
| 3 |
+Subject: [PATCH] patch 8.0.1263: others can read the swap file if a user is |
|
| 4 |
+ careless |
|
| 5 |
+ |
|
| 6 |
+Problem: Others can read the swap file if a user is careless with his |
|
| 7 |
+ primary group. |
|
| 8 |
+Solution: If the group permission allows for reading but the world |
|
| 9 |
+ permissions doesn't, make sure the group is right. |
|
| 10 |
+--- |
|
| 11 |
+ src/Makefile | 1 + |
|
| 12 |
+ src/fileio.c | 24 +++++++++- |
|
| 13 |
+ src/testdir/test_swap.vim | 112 ++++++++++++++++++++++++++++++---------------- |
|
| 14 |
+ src/version.c | 2 + |
|
| 15 |
+ 4 files changed, 99 insertions(+), 40 deletions(-) |
|
| 16 |
+ |
|
| 17 |
+diff --git a/src/fileio.c b/src/fileio.c |
|
| 18 |
+index 87b85cf..34dcdb6 100644 |
|
| 19 |
+--- a/src/fileio.c |
|
| 20 |
+@@ -716,7 +716,29 @@ readfile( |
|
| 21 |
+ /* Set swap file protection bits after creating it. */ |
|
| 22 |
+ if (swap_mode > 0 && curbuf->b_ml.ml_mfp != NULL |
|
| 23 |
+ && curbuf->b_ml.ml_mfp->mf_fname != NULL) |
|
| 24 |
+- (void)mch_setperm(curbuf->b_ml.ml_mfp->mf_fname, (long)swap_mode); |
|
| 25 |
++ {
|
|
| 26 |
++ char_u *swap_fname = curbuf->b_ml.ml_mfp->mf_fname; |
|
| 27 |
++ |
|
| 28 |
++ /* |
|
| 29 |
++ * If the group-read bit is set but not the world-read bit, then |
|
| 30 |
++ * the group must be equal to the group of the original file. If |
|
| 31 |
++ * we can't make that happen then reset the group-read bit. This |
|
| 32 |
++ * avoids making the swap file readable to more users when the |
|
| 33 |
++ * primary group of the user is too permissive. |
|
| 34 |
++ */ |
|
| 35 |
++ if ((swap_mode & 044) == 040) |
|
| 36 |
++ {
|
|
| 37 |
++ stat_T swap_st; |
|
| 38 |
++ |
|
| 39 |
++ if (mch_stat((char *)swap_fname, &swap_st) >= 0 |
|
| 40 |
++ && st.st_gid != swap_st.st_gid |
|
| 41 |
++ && fchown(curbuf->b_ml.ml_mfp->mf_fd, -1, st.st_gid) |
|
| 42 |
++ == -1) |
|
| 43 |
++ swap_mode &= 0600; |
|
| 44 |
++ } |
|
| 45 |
++ |
|
| 46 |
++ (void)mch_setperm(swap_fname, (long)swap_mode); |
|
| 47 |
++ } |
|
| 48 |
+ #endif |
|
| 49 |
+ } |
|
| 50 |
+ |
| ... | ... |
@@ -3,7 +3,7 @@ |
| 3 | 3 |
Summary: Text editor |
| 4 | 4 |
Name: vim |
| 5 | 5 |
Version: 8.0.0533 |
| 6 |
-Release: 3%{?dist}
|
|
| 6 |
+Release: 4%{?dist}
|
|
| 7 | 7 |
License: Charityware |
| 8 | 8 |
URL: http://www.vim.org |
| 9 | 9 |
Group: Applications/Editors |
| ... | ... |
@@ -12,6 +12,7 @@ Distribution: Photon |
| 12 | 12 |
Source0: %{name}-%{version}.tar.gz
|
| 13 | 13 |
%define sha1 vim=6169cece15cb139db3ceff9c9ba2bf74013b1e02 |
| 14 | 14 |
BuildRequires: ncurses-devel |
| 15 |
+Patch0: CVE-2017-17087.patch |
|
| 15 | 16 |
|
| 16 | 17 |
%description |
| 17 | 18 |
The Vim package contains a powerful text editor. |
| ... | ... |
@@ -26,6 +27,8 @@ The vim extra package contains a extra files for powerful text editor. |
| 26 | 26 |
|
| 27 | 27 |
%prep |
| 28 | 28 |
%setup -q |
| 29 |
+%patch0 -p1 |
|
| 30 |
+ |
|
| 29 | 31 |
echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h |
| 30 | 32 |
%build |
| 31 | 33 |
./configure \ |
| ... | ... |
@@ -56,7 +59,12 @@ nmap <F10> :q!<CR> |
| 56 | 56 |
nmap <Esc><Esc> :q<CR> |
| 57 | 57 |
" Use 4 space characters instead of tab for python files |
| 58 | 58 |
au BufEnter,BufNew *.py set tabstop=4 shiftwidth=4 expandtab |
| 59 |
- |
|
| 59 |
+" Move the swap file location to protect against CVE-2017-1000382 |
|
| 60 |
+" More information at http://security.cucumberlinux.com/security/details.php?id=120 |
|
| 61 |
+if ! isdirectory("~/.vim/swap/")
|
|
| 62 |
+ call system('install -d -m 700 ~/.vim/swap')
|
|
| 63 |
+endif |
|
| 64 |
+set directory=~/.vim/swap// |
|
| 60 | 65 |
" End /etc/vimrc |
| 61 | 66 |
EOF |
| 62 | 67 |
|
| ... | ... |
@@ -165,6 +173,8 @@ make test |
| 165 | 165 |
%{_bindir}/vimdiff
|
| 166 | 166 |
|
| 167 | 167 |
%changelog |
| 168 |
+* Tue Jul 10 2018 Tapas Kundu <tkundu@vmware.com> 8.0.0533-4 |
|
| 169 |
+- Fix for CVE-2017-17087 and CVE-2017-1000382. |
|
| 168 | 170 |
* Mon Aug 14 2017 Chang Lee <changlee@vmware.com> 8.0.0533-3 |
| 169 | 171 |
- Disabled Test_recover_root_dir in %check |
| 170 | 172 |
* Tue May 02 2017 Anish Swaminathan <anishs@vmware.com> 8.0.0533-2 |