Bug 451759 (CVE-2008-2712)

Summary: CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to execute and system
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, karsten, kreilly, psplicha, tao
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2712
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-09 08:37:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 453541, 453542, 453543, 453544, 453545, 453578, 461745    
Bug Blocks:    
Attachments:
Description Flags
Jan Minar's test suite none

Description Tomas Hoger 2008-06-17 07:49:27 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2712 to the following vulnerability:

Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to
execute arbitrary commands via Vim scripts that do not properly sanitize inputs
before invoking the execute or system functions, as demonstrated using (1)
filetype.vim, (2) zipplugin, (3) xpm.vim, (4) gzip_vim, and (5) netrw.

References:
http://www.rdancer.org/vulnerablevim.html
http://www.securityfocus.com/archive/1/archive/1/493352/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/493353/100/0/threaded
http://marc.info/?l=bugtraq&m=121345541027231&w=4
http://www.openwall.com/lists/oss-security/2008/06/16/2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486502
Comment 3 Marc Schoenefeld 2008-07-01 09:10:29 UTC 
Patch available at ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.299
Comment 8 Tomas Hoger 2008-07-11 14:50:18 UTC 
Created attachment 311587 [details]
Jan Minar's test suite

Downloaded from: http://www.rdancer.org/vulnerablevim.tar.bz2
At: Fri Jul 11 14:48:38 UTC 2008
Comment 9 Tomas Hoger 2008-07-14 13:45:50 UTC 
Consolidated test suite tarball with test from vulnerablevim.html and
vulnerablevim-netrw.html (see bug bug #455023) available at:

  http://www.rdancer.org/vulnerablevim.2008-07-13.tar.bz2
Comment 10 Tomas Hoger 2008-07-14 13:50:28 UTC 
tar.vim and zip.vim plugins are only shipped in vim 7.x versions, so those
issues only affect vim versions as shipped in Red Hat Enterprise Linux 5.

netrw test is successful on all vim versions in all versions of Red Hat
Enterprise Linux.  However, on vim versions shipped in Red Hat Enterprise Linux
2.1, 3, and 4, the problem triggered by the test case in not in netrw, but in
explorer.vim plugin.

All other issues (filetype, xpm, gzip) affect all vim versions as shipped in Red
Hat Enterprise Linux 2.1, 3, 4, and 5.
Comment 13 Tomas Hoger 2008-07-24 16:03:40 UTC 
Index page with all Jan Minar's advisories:
  http://www.rdancer.org/vulnerablevim-index.html
Comment 16 Jan Lieskovsky 2008-09-11 14:01:34 UTC 
*** Bug 461745 has been marked as a duplicate of this bug. ***
Comment 18 Red Hat Product Security 2009-01-09 08:37:05 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0580.html
  http://rhn.redhat.com/errata/RHSA-2008-0617.html
  http://rhn.redhat.com/errata/RHSA-2008-0618.html

Fedora (updated to upstream 7.2.060): 
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644