Bug#523963: vim-common: helpztags allows malicious vim addon packages to run arbitrary commands with root permisions
James Vega
jamessan at debian.org
Fri Apr 17 14:54:32 UTC 2009
On Mon, Apr 13, 2009 at 11:10:31PM +0100, Jakub Turski wrote:
> I've also noticed that at the moment the version of this script
> included in Debian allows for nasty trick. By preparing an vim addon
> debian package that has a help file named something like this:
> '| malicious command |foo.gz'
> you can have 'malicious command' executed as superuser during package
> installation.
>
> Here's a simple fix for that:
>
> ----------8<-------------------
> --- ../helpztags 2009-04-13 22:40:15.000000000 +0100
> +++ helpztags 2009-04-13 22:59:16.000000000 +0100
> @@ -53,6 +53,7 @@
> print "Processing ".$dir."\n";
> open(TAGSFILE,">tags") || die "Error: Cannot open $dir/tags for writing.\n";
> foreach $file (<*.{gz,txt}>) {
> + next unless $file=~m/^[\w.]+(?:gz|txt)$/;
> do { open(GZ, "zcat $file|") if ($file =~ /\.gz$/) } or open(GZ,$file);
> while (<GZ>) {
> # From vim61/src/ex_cmds.c, lines 5034-5036
> ----------8<-------------------
Thanks for the bug and patch, although [\w.-] is probably a better
choice. This could still prevent certain legitimate filenames from
being processed, but from a quick search it matches all current,
legitimate filenames.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20090417/9b8a9ad0/attachment.pgp>
More information about the pkg-vim-maintainers
mailing list