[Full-Disclosure] OpenLinux: vim arbitrary commands execution through modelines

please_reply_to_security_at_sco.com
Date: 04/01/04

  • Next message: Maarten: "Re: [Full-Disclosure] Bugfinder Being Indicted As Criminal ("Counterfeiter") in France"
    To: security-announce@list.sco.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com
    Date: Wed, 31 Mar 2004 15:44:19 -0800 (PST)
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: OpenLinux: vim arbitrary commands execution through modelines
    Advisory number: CSSA-2004-015.0
    Issue date: 2004 March 30
    Cross reference: sr889557 fz528946 erg712560 CAN-2002-1377
    ______________________________________________________________________________

    1. Problem Description

            vim 6.0 and 6.1, and possibly other versions, allows attackers
            to execute arbitrary commands using the libcall feature in
            modelines, which are not sandboxed but may be executed when
            vim is used as an editor for other products such as mutt.
            
            The Common Vulnerabilities and Exposures project (cve.mitre.org)
            has assigned the name CAN-2002-1377 to this issue.

    2. Vulnerable Supported Versions

            System Package
            ----------------------------------------------------------------------
            OpenLinux 3.1.1 Server prior to vim-6.2-1.i386.rpm
                                            prior to vim-X11-6.2-1.i386.rpm
                                            prior to vim-help-6.2-1.i386.rpm
                                            prior to vim-i18n-6.2-1.i386.rpm

            OpenLinux 3.1.1 Workstation prior to vim-6.2-1.i386.rpm
                                            prior to vim-X11-6.2-1.i386.rpm
                                            prior to vim-help-6.2-1.i386.rpm
                                            prior to vim-i18n-6.2-1.i386.rpm

    3. Solution

            The proper solution is to install the latest packages. Unix
            users with Linux Kernel Personality can use the Caldera System
            Updater, called cupdate (or kcupdate under the KDE environment),
            to update these packages rather than downloading and installing
            them by hand.

    4. OpenLinux 3.1.1 Server

            4.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/RPMS

            4.2 Packages

            2eaf8ff7d07ae09123dff2c16e68df5f vim-6.2-1.i386.rpm
            b9872220a38cad8103089dfe600a188d vim-X11-6.2-1.i386.rpm
            ec819c86427a02d6c8971ca6567efedd vim-help-6.2-1.i386.rpm
            7ff1f641f70fc8fb216e2d683b814400 vim-i18n-6.2-1.i386.rpm

            4.3 Installation

            rpm -Fvh vim-6.2-1.i386.rpm
            rpm -Fvh vim-X11-6.2-1.i386.rpm
            rpm -Fvh vim-help-6.2-1.i386.rpm
            rpm -Fvh vim-i18n-6.2-1.i386.rpm

            4.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/SRPMS

            4.5 Source Packages

            236756ca0c61400c475c8d84622ade61 vim-6.2-1.src.rpm

    5. OpenLinux 3.1.1 Workstation

            5.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/RPMS

            5.2 Packages

            2ebcc5f8e7b0d893b058fc241c7844b5 vim-6.2-1.i386.rpm
            a75f8d7349cfa8e1cb6ba23a0267a7e1 vim-X11-6.2-1.i386.rpm
            f618eaf8d81f2a8ac85ad9c517c28ae5 vim-help-6.2-1.i386.rpm
            cc12e062b2f69bbf2a6c861e0da0749b vim-i18n-6.2-1.i386.rpm

            5.3 Installation

            rpm -Fvh vim-6.2-1.i386.rpm
            rpm -Fvh vim-X11-6.2-1.i386.rpm
            rpm -Fvh vim-help-6.2-1.i386.rpm
            rpm -Fvh vim-i18n-6.2-1.i386.rpm

            5.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/SRPMS

            5.5 Source Packages

            85709bfff745aeda4f4aa090cee834e7 vim-6.2-1.src.rpm

    6. References

            Specific references for this advisory:
                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377
                    http://lists.netsys.com/pipermail/full-disclosure/2002-December/003330.html
                    http://www.guninski.com/vim1.html

            SCO security resources:
                    http://www.sco.com/support/security/index.html

            This security fix closes SCO incidents sr889557 fz528946
            erg712560.

    7. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers intended
            to promote secure installation and use of SCO products.

    8. Acknowledgements

            SCO would like to thank Georgi Guninski

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

    iD8DBQFAaicpbluZssSXDTERAtg7AJ9W4yP2cEe57fSBioimvf9bKPUHfQCg0aT+
    ggzOutLoHFA0w4++nB9/G4U=
    =4eTx
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Maarten: "Re: [Full-Disclosure] Bugfinder Being Indicted As Criminal ("Counterfeiter") in France"

    Relevant Pages