Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171127210148.GA27739@perpetual.pseudorandom.co.uk>
Date: Mon, 27 Nov 2017 21:01:48 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Security risk of server side text editing ...

On Mon, 27 Nov 2017 at 14:10:54 -0500, Scott Court wrote:
> 3. Vim.tiny race condition (Doesn't have a CVE ID as far as I know)
> 
> I'm not quite sure who discovered this vulnerability (I don't use or follow
> vim.tiny)

It's just a particular binary build of vim. The vim Debian source package
builds vim several times with different options: vim.tiny is the
smallest, with no GUI and no Perl/Python/Ruby/Lua bindings.
Fedora /bin/vi is a similar small vim build.

I would be quite surprised if there are any vulnerabilities in vim.tiny
that aren't also present in the larger builds like vim.gtk3.
In particular, swap file handling and its interaction with setuid are
almost certainly the same in all builds of the same vim source code.

    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.