Bugzilla – Bug 1070955
VUL-1: CVE-2017-17087: vim: Sets the group ownership of a .swp file to the editor's primary group, which allows local users to obtain sensitive information
Last modified: 2024-05-08 13:04:40 UTC
CVE-2017-17087 fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17087 http://seclists.org/oss-sec/2017/q4/345 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17087.html http://www.cvedetails.com/cve/CVE-2017-17087/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17087 http://security.cucumberlinux.com/security/details.php?id=166 https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ http://openwall.com/lists/oss-security/2017/11/27/2
Yes, I am right now working on to port the 8.2 codebase to SLE15
SUSE-SU-2022:2102-1: An update that fixes 45 vulnerabilities is now available. Category: security (important) Bug References: 1070955,1191770,1192167,1192902,1192903,1192904,1193466,1193905,1194093,1194216,1194217,1194388,1194872,1194885,1195004,1195203,1195332,1195354,1196361,1198596,1198748,1199331,1199333,1199334,1199651,1199655,1199693,1199745,1199747,1199936,1200010,1200011,1200012 CVE References: CVE-2017-17087,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3875,CVE-2021-3903,CVE-2021-3927,CVE-2021-3928,CVE-2021-3968,CVE-2021-3973,CVE-2021-3974,CVE-2021-3984,CVE-2021-4019,CVE-2021-4069,CVE-2021-4136,CVE-2021-4166,CVE-2021-4192,CVE-2021-4193,CVE-2021-46059,CVE-2022-0128,CVE-2022-0213,CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0359,CVE-2022-0361,CVE-2022-0392,CVE-2022-0407,CVE-2022-0413,CVE-2022-0696,CVE-2022-1381,CVE-2022-1420,CVE-2022-1616,CVE-2022-1619,CVE-2022-1620,CVE-2022-1733,CVE-2022-1735,CVE-2022-1771,CVE-2022-1785,CVE-2022-1796,CVE-2022-1851,CVE-2022-1897,CVE-2022-1898,CVE-2022-1927 JIRA References: Sources used: openSUSE Leap 15.4 (src): vim-8.2.5038-150000.5.21.1 openSUSE Leap 15.3 (src): vim-8.2.5038-150000.5.21.1 SUSE Manager Server 4.1 (src): vim-8.2.5038-150000.5.21.1 SUSE Manager Retail Branch Server 4.1 (src): vim-8.2.5038-150000.5.21.1 SUSE Manager Proxy 4.1 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Server for SAP 15 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Server 15-LTSS (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Micro 5.2 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise Micro 5.1 (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): vim-8.2.5038-150000.5.21.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): vim-8.2.5038-150000.5.21.1 SUSE Enterprise Storage 7 (src): vim-8.2.5038-150000.5.21.1 SUSE Enterprise Storage 6 (src): vim-8.2.5038-150000.5.21.1 SUSE CaaS Platform 4.0 (src): vim-8.2.5038-150000.5.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
The fix is available in the SLE15 Update with 9.0.0313 or newer.
SUSE-SU-2022:4619-1: An update that solves 104 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1070955,1173256,1174564,1176549,1182324,1190533,1190570,1191770,1191893,1192167,1192478,1192481,1192902,1192903,1192904,1193294,1193298,1193466,1193905,1194093,1194216,1194217,1194388,1194556,1194872,1194885,1195004,1195066,1195126,1195202,1195203,1195332,1195354,1195356,1196361,1198596,1198748,1199331,1199333,1199334,1199651,1199655,1199693,1199745,1199747,1199936,1200010,1200011,1200012,1200270,1200697,1200698,1200700,1200701,1200732,1200884,1200902,1200903,1200904,1201132,1201133,1201134,1201135,1201136,1201150,1201151,1201152,1201153,1201154,1201155,1201249,1201356,1201359,1201363,1201620,1201863,1202046,1202049,1202050,1202051,1202414,1202420,1202421,1202511,1202512,1202515,1202552,1202599,1202687,1202689,1202862,1202962,1203110,1203152,1203155,1203194,1203272,1203508,1203509,1203796,1203797,1203799,1203820,1203924,1204779 CVE References: CVE-2009-0316,CVE-2016-1248,CVE-2017-17087,CVE-2017-5953,CVE-2017-6349,CVE-2017-6350,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3875,CVE-2021-3903,CVE-2021-3927,CVE-2021-3928,CVE-2021-3968,CVE-2021-3973,CVE-2021-3974,CVE-2021-3984,CVE-2021-4019,CVE-2021-4069,CVE-2021-4136,CVE-2021-4166,CVE-2021-4192,CVE-2021-4193,CVE-2021-46059,CVE-2022-0128,CVE-2022-0213,CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0359,CVE-2022-0361,CVE-2022-0392,CVE-2022-0407,CVE-2022-0413,CVE-2022-0696,CVE-2022-1381,CVE-2022-1420,CVE-2022-1616,CVE-2022-1619,CVE-2022-1620,CVE-2022-1720,CVE-2022-1733,CVE-2022-1735,CVE-2022-1771,CVE-2022-1785,CVE-2022-1796,CVE-2022-1851,CVE-2022-1897,CVE-2022-1898,CVE-2022-1927,CVE-2022-1968,CVE-2022-2124,CVE-2022-2125,CVE-2022-2126,CVE-2022-2129,CVE-2022-2175,CVE-2022-2182,CVE-2022-2183,CVE-2022-2206,CVE-2022-2207,CVE-2022-2208,CVE-2022-2210,CVE-2022-2231,CVE-2022-2257,CVE-2022-2264,CVE-2022-2284,CVE-2022-2285,CVE-2022-2286,CVE-2022-2287,CVE-2022-2304,CVE-2022-2343,CVE-2022-2344,CVE-2022-2345,CVE-2022-2522,CVE-2022-2571,CVE-2022-2580,CVE-2022-2581,CVE-2022-2598,CVE-2022-2816,CVE-2022-2817,CVE-2022-2819,CVE-2022-2845,CVE-2022-2849,CVE-2022-2862,CVE-2022-2874,CVE-2022-2889,CVE-2022-2923,CVE-2022-2946,CVE-2022-2980,CVE-2022-2982,CVE-2022-3016,CVE-2022-3037,CVE-2022-3099,CVE-2022-3134,CVE-2022-3153,CVE-2022-3234,CVE-2022-3235,CVE-2022-3278,CVE-2022-3296,CVE-2022-3297,CVE-2022-3324,CVE-2022-3352,CVE-2022-3705 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): vim-9.0.0814-17.9.1 SUSE OpenStack Cloud 9 (src): vim-9.0.0814-17.9.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): vim-9.0.0814-17.9.1 SUSE Linux Enterprise Server 12-SP5 (src): vim-9.0.0814-17.9.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): vim-9.0.0814-17.9.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): vim-9.0.0814-17.9.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): vim-9.0.0814-17.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.