Re: [USN-52-1] vim vulnerability

From: Liu Die Yu (liudieyu_at_umbrella.name)
Date: 12/24/04

Next message: Simple Nomad: "Re: Inexcusable weakness in Kmail / GnuPG"

Previous message: advisory_at_stgsecurity.com: "STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard"
In reply to: Martin Pitt: "[USN-52-1] vim vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 24 Dec 2004 12:31:12 +0800
To: Martin Pitt <martin.pitt@canonical.com>

the credit really should go to Georgi Guninski who said:
----------
[...]
Opening a specially crafted text file with vim can execute arbitrary
shell commands and pass parameters to them.
[...]
The problem are so called modelines, which can execute some commands in
vim, though they are intended to be sandboxed.
[...]
----------
and provided a working demo:
----------
/* vim:set foldmethod=expr: */
/* vim:set
foldexpr=confirm(libcall("/lib/libc.so.6","system","/bin/ls"),"ms_sux"): */

vim better than windoze
----------
in 2002 at
http://www.guninski.com/vim1.html

BTW, i really want to a video showing advanced VIM typer editing text
extremely fast. it can be a good material to convince newbie to use VIM.

http://editive.com/referrer

Martin Pitt wrote:

>===========================================================
>Ubuntu Security Notice USN-52-1 December 23, 2004
>vim vulnerability
>CAN-2004-1138
>===========================================================
>
>A security issue affects the following Ubuntu releases:
>
>Ubuntu 4.10 (Warty Warthog)
>
>The following packages are affected:
>
>kvim
>vim
>vim-gnome
>vim-gtk
>vim-lesstif
>vim-perl
>vim-python
>vim-tcl
>
>The problem can be corrected by upgrading the affected package to
>version 1:6.3-025+1ubuntu2.1. In general, a standard system upgrade is
>sufficient to effect the necessary changes.
>
>Details follow:
>
>Ciaran McCreesh found several vulnerabilities related to the use of
>options in Vim modeline commands, such as 'termcap', 'printdevice',
>'titleold', 'filetype', 'syntax', 'backupext', 'keymap', 'patchmode',
>and 'langmenu'.
>
>If an attacker tricked an user to open a file with a specially crafted
>modeline, he could exploit this to execute arbitrary commands with the
>user's privileges.
>
> Source archives:
>
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1.diff.gz
> Size/MD5: 424979 4965410b651e6f5ac01ba2500e45d1ad
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1.dsc
> Size/MD5: 1122 fbabe18da525c6874e00e7144dc1015f
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3.orig.tar.gz
> Size/MD5: 5624622 de1c964ceedbc13538da87d2d73fd117
>
> Architecture independent packages:
>
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.3-025+1ubuntu2.1_all.deb
> Size/MD5: 3421062 5e19fadc78b2d58baf8b9c0e469bffe9
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.3-025+1ubuntu2.1_all.deb
> Size/MD5: 1646594 0aacbc8f415aac67d4ff67c2567ea9fc
>
> amd64 architecture (Athlon64, Opteron, EM64T Xeon)
>
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 2586 dffb544da03f75c78a04240c1a226034
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 805718 684db5c3346c4369b47131fa1e12130e
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 802444 d62cb45626f58a3d04286734c9f0fff4
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 784098 b6023cf232ce1177206aebc3a002ea10
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 809126 2414707b703fb83ac166eef291e00f14
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 802464 f9fc02b7e2bddaf8c579b88556b49e52
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 801154 63c0de866afbe3e898c22dd1c571e4f9
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_amd64.deb
> Size/MD5: 764954 4efd27d92715dd0b3d518b85a5fdaa23
>
> i386 architecture (x86 compatible Intel/AMD)
>
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 2590 d66ae294e991c2a7795800ce109c4ed2
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 702646 0b2b804684a446045fc7b459f80b1c33
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 699996 38435bc2a97e3dae68aeacb41aa6ee46
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 682456 7346dca98d32990cbda11b28dcf9de98
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 707678 0cebe040f27ff421c046c0bba0c7be5a
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 700016 218129f6116b1ed0cac566b4ed3bb91a
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 699624 8f41f595aeb4b798b932cafdae5b428c
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_i386.deb
> Size/MD5: 680000 648b6f8d31502eb282c6c8e598b1bfb3
>
> powerpc architecture (Apple Macintosh G3/G4/G5)
>
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 2594 9b73d310934283adb3443ba1cf698cfc
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 788010 a0fb73fac7af675b50670878eff5e7a1
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 785336 fa097c36bb3fbdde3cc61131e06894b3
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 769820 960874ca1a9d2f184fb70a7c67712ff2
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 792352 33cdd008c6f7ee7ce5b7eb207e3a23d3
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 785350 f9ea0ded3300b32c8f464469666a2739
> http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 784864 1b286b54ecb25d6aa7b611122c5ad7b3
> http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.1_powerpc.deb
> Size/MD5: 754470 04d272608873af561b091de313b7167c
>
>

Next message: Simple Nomad: "Re: Inexcusable weakness in Kmail / GnuPG"

Previous message: advisory_at_stgsecurity.com: "STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard"
In reply to: Martin Pitt: "[USN-52-1] vim vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[USN-52-1] vim vulnerability
... vim vulnerability ... Ubuntu 4.10 ... The following packages are affected: ...
(Bugtraq)
[USN-52-1] vim vulnerability
... vim vulnerability ... Ubuntu 4.10 ... The following packages are affected: ...
(Full-Disclosure)
[Full-Disclosure] [USN-52-1] vim vulnerability
... vim vulnerability ... Ubuntu 4.10 ... The following packages are affected: ...
(Full-Disclosure)
Re: An Editor that Skips to the End of a Def
... that are to be found on the way up the Emacs learning curve. ... Off the top of my head, I can think of a few vim commands that have ... the latter case, you can't use backspace, you have to use "X". ...
(comp.lang.python)
Re: "Selling" Perl (i.e. getting the boss to let me install it)
... )> editor' while I'm talking about 'being faster in favourite editor'. ... I don't think that I am faster in my favourite editor TextPad, than in, ... The big advantage vim has over most other editors is that it can be ... Then there is the advantage that all the editing commands can be used ...
(comp.lang.perl.misc)