stable-security update of vim

James Vega jamessan at debian.org
Tue Feb 3 20:42:38 UTC 2009


Quick followup to cover what Steffen and I talked about on IRC and to
leave pointers for myself as I work on the update.

On Thu, Jan 29, 2009 at 11:32:55AM -0500, Steffen Joeris wrote:
> CVE-2008-2712[0]:
> | Vim 7.1.314, 6.4, and other versions allows user-assisted remote
> | attackers to execute arbitrary commands via Vim scripts that do not
> | properly sanitize inputs before invoking the execute or system
> | functions, as demonstrated using (1) filetype.vim, (2) zipplugin, (3)
> | xpm.vim, (4) gzip_vim, and (5) netrw.

I'm currently working on this.  The source fixes and runtime fixes for
everything other than netrw should be relatively easy to backport.

netrw will likely be quite time consuming to get a proper patch.  The
script is rather large and there are various, slightly different
instances of problematic code.  netrw also underwent significant changes
between the version in 7.0 and 7.1.

That combined with netrw's vulnerabilities being less likely to be
encountered since they rely on strange filenames instead of file
contents make me wary of including its fixes in the upload.

> CVE-2008-3074[1]:
> | ** RESERVED **
> | This candidate has been reserved by an organization or individual that
> | will use it when announcing a new security problem.  When the
> | candidate has been publicized, the details for this candidate will be
> | provided.

tar.vim -- Commit a80fc38c

> CVE-2008-3075[2]:
> | ** RESERVED **
> | This candidate has been reserved by an organization or individual that
> | will use it when announcing a new security problem.  When the
> | candidate has been publicized, the details for this candidate will be
> | provided.

zip.vim -- Commit e39dfd12

> CVE-2008-3076[3]:
> | ** RESERVED **
> | This candidate has been reserved by an organization or individual that
> | will use it when announcing a new security problem.  When the
> | candidate has been publicized, the details for this candidate will be
> | provided.

Covered in the fix for CVE-2008-2712 but, as mentioned earlier, I'm
dubious about the worthiness of trying to backport this fix.

> CVE-2008-4101[4]:
> | Vim 3.0 through 7.x before 7.2.010 does not properly escape
> | characters, which allows user-assisted attackers to (1) execute
> | arbitrary shell commands by entering a K keystroke on a line that
> | contains a ";" (semicolon) followed by a command, or execute arbitrary
> | Ex commands by entering an argument after a (2) "Ctrl-]" (control
> | close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke
> | sequence, a different issue than CVE-2008-2712.

Fixed by upstream patches 7.2.010 (and 7.2.026 to restore proper
functionality after 7.2.010).

> For the reserved issues, there is a bugreport in the BTS with more 
> information.

#506919

> We would like to issue a DSA for these CVEs and were wondering, whether you as 
> the maintainers could provide packages for stable-security?

Sure thing.  Any comment on backporting the netrw fixes or does it boil
down to how complicated the changes are?  For now, I'll work on
everything but netrw.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-vim-maintainers/attachments/20090203/bb7d7503/attachment.pgp 


More information about the pkg-vim-maintainers mailing list