Bug#523963: vim-common: helpztags allows malicious vim addon packages to run arbitrary commands with root permisions
Jakub Turski
yacoob at gmail.com
Mon Apr 13 22:10:31 UTC 2009
Package: vim-common
Version: 1:7.0-122+1etch3
Severity: important
I was original author of helpztags, and I've just noticed that it made
its way to vim-common package (talk about being observant... :) I've
also noticed that at the moment the version of this script included in
Debian allows for nasty trick. By preparing an vim addon debian package
that has a help file named something like this:
'| malicious command |foo.gz'
you can have 'malicious command' executed as superuser during package
installation.
Here's a simple fix for that:
----------8<-------------------
--- ../helpztags 2009-04-13 22:40:15.000000000 +0100
+++ helpztags 2009-04-13 22:59:16.000000000 +0100
@@ -53,6 +53,7 @@
print "Processing ".$dir."\n";
open(TAGSFILE,">tags") || die "Error: Cannot open $dir/tags for writing.\n";
foreach $file (<*.{gz,txt}>) {
+ next unless $file=~m/^[\w.]+(?:gz|txt)$/;
do { open(GZ, "zcat $file|") if ($file =~ /\.gz$/) } or open(GZ,$file);
while (<GZ>) {
# From vim61/src/ex_cmds.c, lines 5034-5036
----------8<-------------------
HTH,
KT.
-- System Information:
Debian Release: 4.0
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-xen-686
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Versions of packages vim-common depends on:
ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries
Versions of packages vim-common recommends:
ii vim 1:7.0-122+1etch3 Vi IMproved - enhanced vi editor
ii vim-perl 1:7.0-122+1etch3 Vi IMproved - enhanced vi editor -
-- no debconf information
More information about the pkg-vim-maintainers
mailing list