CVE-2017-17087
First published: Fri Dec 01 2017(Updated: )
fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Vim Vim | <8.0.1263 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| debian/vim | 2:8.2.2434-3+deb11u1 2:9.0.1378-2 2:9.1.0709-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://openwall.com/lists/oss-security/2017/11/27/2
- http://security.cucumberlinux.com/security/details.php?id=166
- https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8
- https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ
- https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html
- https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html
- https://usn.ubuntu.com/4582-1/
- https://launchpad.net/bugs/cve/CVE-2017-17087
- https://security-tracker.debian.org/tracker/CVE-2017-17087
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17087
- https://nvd.nist.gov/vuln/detail/CVE-2017-17087
- https://ubuntu.com/security/CVE-2017-17087
Frequently Asked Questions
What is CVE-2017-17087?
CVE-2017-17087 is a vulnerability in Vim prior to version 8.0.1263 that allows local users to obtain sensitive information.
What is the severity of CVE-2017-17087?
The severity of CVE-2017-17087 is medium, with a severity value of 5.5.
How does CVE-2017-17087 affect Vim?
CVE-2017-17087 affects Vim versions prior to 8.0.1263.
How can I fix CVE-2017-17087?
To fix CVE-2017-17087, update Vim to version 8.0.1263 or higher.
Are there any references for CVE-2017-17087?
Yes, you can find references for CVE-2017-17087 at the following links: [1](http://openwall.com/lists/oss-security/2017/11/27/2), [2](http://security.cucumberlinux.com/security/details.php?id=166), [3](https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8).
- collector/nvd-index
- agent/type
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/vim
- canonical/vim vim
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- package-manager/debian