CVE-2017-1000382

Priority
Description
VIM version 8.0.1187 (and other versions most likely) ignores umask when
creating a swap file ("[ORIGINAL_FILENAME].swp") resulting in files that
may be world readable or otherwise accessible in ways not intended by the
user running the vi binary.
Notes
leosilvaI could reproduce following openwall steps
after apply the patch community put available
and repeat the steps in openwall I still got
the same bug behaviour so not sure if patch fix it waiting any comment from community
I could confirm with upstream the patch debian put available from upstream doesn't fix the issue
msalvatoreIgnoring this CVE. Bram Moolenar (vim's BDFL) had this to say:
1) The permissions are the same as the original file, and that is exactly how it should be.
2) This is working as intended, Vim does not use umask this way. Umask is only used by
simple commands such as cp, not by long running processes that deal with many files.
Problem is with the user expectations.
Package
Source: vim (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):ignored (upstream disputes CVE)
Ubuntu 14.04 ESM (Trusty Tahr):ignored (upstream disputes CVE)
Ubuntu 16.04 LTS (Xenial Xerus):ignored (upstream disputes CVE)
Ubuntu 18.04 LTS (Bionic Beaver):ignored (upstream disputes CVE)
Ubuntu 19.04 (Disco Dingo):ignored (upstream disputes CVE)
More Information

Updated: 2019-12-05 18:47:27 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)