Bug#523963: vim-common: helpztags allows malicious vim addon packages to run arbitrary commands with root permisions

[James Vega]

On Mon, Apr 13, 2009 at 11:10:31PM +0100, Jakub Turski wrote:
> I've also noticed that at the moment the version of this script
> included in Debian allows for nasty trick. By preparing an vim addon
> debian package that has a help file named something like this:
> '| malicious command |foo.gz'
> you can have 'malicious command' executed as superuser during package
> installation.
> 
> Here's a simple fix for that:
> 
> ----------8<-------------------
> --- ../helpztags	2009-04-13 22:40:15.000000000 +0100
> +++ helpztags	2009-04-13 22:59:16.000000000 +0100
> @@ -53,6 +53,7 @@
>    print "Processing ".$dir."\n";
>    open(TAGSFILE,">tags") || die "Error: Cannot open $dir/tags for writing.\n";
>    foreach $file (<*.{gz,txt}>) {
> +    next unless $file=~m/^[\w.]+(?:gz|txt)$/;
>      do { open(GZ, "zcat $file|") if ($file =~ /\.gz$/) } or open(GZ,$file);
>      while (<GZ>) {
>          # From vim61/src/ex_cmds.c, lines 5034-5036
> ----------8<-------------------

Thanks for the bug and patch, although [\w.-] is probably a better
choice.  This could still prevent certain legitimate filenames from
being processed, but from a quick search it matches all current,
legitimate filenames.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20090417/9b8a9ad0/attachment.pgp>