5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
11.7%
VIM version 8.0.1187 (and other versions most likely) ignores umask when
creating a swap file (“[ORIGINAL_FILENAME].swp”) resulting in files that
may be world readable or otherwise accessible in ways not intended by the
user running the vi binary.
Author | Note |
---|---|
leosilva | I could reproduce following openwall steps after apply the patch community put available and repeat the steps in openwall I still got the same bug behaviour so not sure if patch fix it waiting any comment from community I could confirm with upstream the patch debian put available from upstream doesn’t fix the issue |
msalvatore | Ignoring this CVE. Bram Moolenar (vim’s BDFL) had this to say: 1) The permissions are the same as the original file, and that is exactly how it should be. 2) This is working as intended, Vim does not use umask this way. Umask is only used by simple commands such as cp, not by long running processes that deal with many files. Problem is with the user expectations. |
www.openwall.com/lists/oss-security/2017/10/31/1
www.openwall.com/lists/oss-security/2017/10/31/15
groups.google.com/forum/#!msg/vim_dev/sRT9BtjLWMk/MZyVYhshBwAJ
launchpad.net/bugs/cve/CVE-2017-1000382
nvd.nist.gov/vuln/detail/CVE-2017-1000382
security-tracker.debian.org/tracker/CVE-2017-1000382
www.cve.org/CVERecord?id=CVE-2017-1000382
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
11.7%