Bug 164488

Summary: CAN-2005-2368 modelines in vim can own you
Product: [Retired] Fedora Legacy Reporter: Pavel Kankovsky <peak>
Component: vimAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jpdalbec, sheltren
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-30 19:57:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Kankovsky 2005-07-28 08:27:24 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Mozilla rulez!)

Description of problem:
An evil modeline can execute arbitrary shell commands when you open a file with Vim.

Version-Release number of selected component (if applicable):
vim-common-6.1-18.7x.2.3.legacy (rh7.3) vim-common-6.1-29.3.legacy (rh9)

How reproducible:
Always

Steps to Reproduce:
1. echo 'vim: foldmethod=expr:foldexpr=glob("`touch\ /tmp/where_do_you_want_bill_gates_to_go_today\?`")+expand("$(touch$IFS/tmp/where_do_you_want_billg_to_go\?)"):' > /tmp/guninski.txt
   (combination of Georgi's methods 1 and 2)
2. vim +p +q /tmp/guninski.txt 
3. ls -l /tmp/where_do_you_want_*


Additional info:

Verified on RH73 a RH9 (with FL updates). FC1/2 are probably affected as well.

There is an official two-part patch for 6.3 at  ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.081 and ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.082

Here is a merged version from Ubuntu (debian/patches/06_modeline_codeexec.diff):
diff -urN vim63/src/os_unix.c vim63.new/src/os_unix.c
--- vim63/src/os_unix.c        2005-07-26 11:16:28.769865769 +0000
+++ vim63.new/src/os_unix.c    2005-07-26 11:16:05.786180086 +0000
@@ -4697,6 +4697,12 @@
     if (!have_wildcard(num_pat, pat))
       return save_patterns(num_pat, pat, num_file, file);
 
+# ifdef HAVE_SANDBOX
+    /* Don't allow any shell command in the sandbox. */
+    if (sandbox != 0 && check_secure())
+      return FAIL;
+# endif
+
     /*
      * Don't allow the use of backticks in secure and restricted mode.
      */

The patch appears to modify mch_expand_wildcards(). The code 6.1 looks similar enough to make this patch applicable without any substantial changes.
Comment 1 Jeff Sheltren 2005-08-28 12:49:06 UTC 
See https://rhn.redhat.com/errata/RHSA-2005-745.html for updated packages.

This effects all legacy distributions.
Comment 2 John Dalbec 2005-09-01 13:10:52 UTC 
FYI:
05.30.24 CVE: CAN-2005-2368
Platform: Cross Platform
Title: Vim ModeLines Further Variant Arbitrary Command Execution
Description: Vim is a text editor. It is susceptible to an arbitrary
command execution vulnerability which can be caused by modifying a
text file to include "ModeLines" containing the "glob()" or "expand()"
functions with shell metacharacters. Vim version 6.3.082 is released
to fix this issue.
Ref: http://www.securityfocus.com/advisories/8955
Comment 3 Jesse Keating 2007-08-30 19:57:07 UTC 
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.