|
Message-ID: <CADyTPEwtFD=d_JB4n0s+9G867D_tNmSQOTt_f=EtNeqYp22Eyw@mail.gmail.com> Date: Fri, 3 Nov 2017 14:14:11 -0400 From: Nick Bowler <nbowler@...conx.ca> To: oss-security@...ts.openwall.com Subject: Re: Re: Fw: Security risk of vim swap files On 2017-11-03, Scott Court <z5t1@...1.com> wrote: > I have refined the vimrc changes that I originally posted (with the help > of Christian) and have found appending the following to your vimrc be a > decent way to mitigate against all known forms of this attack until a > proper patch is released: > > " Move the swap file location to protect against CVE-2017-1000382 > " More information at > http://security.cucumberlinux.com/security/details.php?id=120 > " A big thanks goes to Christian Brabandt (cb@...bit.org) > " for helping with this fix. > if ! isdirectory("~/.vim/swap/") > silent !install -d -m 700 ~/.vim/swap/ 2>&1 > /dev/null > endif > set directory=~/.vim/swap// > > The only drawback to this approach is that it eliminates the warning > when multiple users attempt to edit the same file at the same time; > however, this seems preferable to the alternative of being vulnerable. This is not the "only drawback". Among other things, such configuration fails very badly when network mounts are involved. - If the swap directory is shared between multiple hosts (e.g., $HOME is NFS-mounted), then you will get false positives when editing files that happen to share a filename on different hosts. - If the file being edited is shared between multiple hosts, then you will get false negatives when trying to edit that file from different hosts. Or a combination of the two scenarios. In the default mode, network mounts basically work as expected because the swapfile location is shared the same way. Cheers, Nick
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.