Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 639710 (CVE-2017-17087) - <app-editors/vim-8.0.1298: Information disclosure vulnerability
Summary: <app-editors/vim-8.0.1298: Information disclosure vulnerability
Status: RESOLVED FIXED
Alias: CVE-2017-17087
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-04 02:06 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-08 22:01 UTC (History)
1 user (show)

See Also:
Package list:
app-editors/gvim-8.0.1298
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-04 02:06:22 UTC 
CVE-2017-17087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17087):
  fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to
  the editor's primary group (which may be different from the group ownership
  of the original file), which allows local users to obtain sensitive
  information by leveraging an applicable group membership, as demonstrated by
  /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by
  root:users mode 0640, a different vulnerability than CVE-2017-1000382.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-04 02:06:52 UTC 
@Maintainers please call for stabilization when ready.

Thank you
Comment 2 Patrice Clement (RETIRED) gentoo-dev 2017-12-19 21:53:00 UTC 
Arch teams,

Please stabilise:
=app-editors/vim-8.0.1298
=app-editors/vim-core-8.0.1298
=app-editors/gvim-8.0.1298

Thank you!
Comment 3 Agostino Sarubbo gentoo-dev 2017-12-20 13:09:45 UTC 
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-20 13:41:09 UTC 
x86 stable, ignored multiple test failures (bug 630042).
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-25 18:30:11 UTC 
ppc64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-26 10:46:53 UTC 
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-27 11:50:20 UTC 
ppc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-07 11:20:24 UTC 
sparc stable (thanks to Rolf Eike Beer)
Comment 9 Markus Meier gentoo-dev 2018-01-07 20:52:26 UTC 
arm stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2018-01-20 18:05:51 UTC 
Stable on alpha.
Comment 11 Mart Raudsepp gentoo-dev 2018-03-03 14:19:23 UTC 
arm64 stable
Comment 12 Matt Turner gentoo-dev 2018-03-11 05:11:02 UTC 
vim and vim-core done for hppa
Comment 13 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-12 13:00:29 UTC 
(In reply to Matt Turner from comment #12)
> vim and vim-core done for hppa

Matt any specific reason why gvim was not stabilized for hppa? 

Thanks
Comment 14 Matt Turner gentoo-dev 2018-03-12 13:01:57 UTC 
I don't have X/GTK built yet.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-04-08 21:11:25 UTC 
GLSA Vote: No

HPPA is stabilized already.

@vim, please drop the vulnerable versions.
Comment 16 Larry the Git Cow gentoo-dev 2018-04-08 21:37:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=170bc1bbdbe24c4cac8d00226273838f8f89acf4

commit 170bc1bbdbe24c4cac8d00226273838f8f89acf4
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2018-04-08 21:35:22 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2018-04-08 21:36:52 +0000

    app-editors/vim: remove vulnerable versions.
    
    Bug: https://bugs.gentoo.org/639710
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-editors/vim/Manifest            |   3 -
 app-editors/vim/vim-8.0.0386.ebuild | 348 ------------------------------------
 app-editors/vim/vim-8.0.1188.ebuild | 309 --------------------------------
 3 files changed, 660 deletions(-)}
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2018-04-08 22:01:05 UTC 
(In reply to Larry the Git Cow from comment #16)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=170bc1bbdbe24c4cac8d00226273838f8f89acf4
> 
> commit 170bc1bbdbe24c4cac8d00226273838f8f89acf4
> Author:     Patrice Clement <monsieurp@gentoo.org>
> AuthorDate: 2018-04-08 21:35:22 +0000
> Commit:     Patrice Clement <monsieurp@gentoo.org>
> CommitDate: 2018-04-08 21:36:52 +0000
> 
>     app-editors/vim: remove vulnerable versions.
>     
>     Bug: https://bugs.gentoo.org/639710
>     Package-Manager: Portage-2.3.24, Repoman-2.3.6
> 
>  app-editors/vim/Manifest            |   3 -
>  app-editors/vim/vim-8.0.0386.ebuild | 348
> ------------------------------------
>  app-editors/vim/vim-8.0.1188.ebuild | 309 --------------------------------
>  3 files changed, 660 deletions(-)}

Thanks, Patrice!