Bug 461927 (CVE-2008-4101)
Summary: | CVE-2008-4101 vim: arbitrary code execution in commands: K, Control-], g] | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | karsten, kreilly, mjc, psplicha |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-09 08:36:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 465813, 465814, 465815, 465817, 465818, 465819 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2008-09-11 14:11:12 UTC
The patch mentioned above is incomplete. Jan Minar has provided v3 of the patch, for the K-shell command Vim issue, available at: http://groups.google.com/group/vim_dev/attach/9290f26f9bc11b33/K-arbitrary-command-execution.patch.v3?part=2 Yet another Vim upstream patch, also facing this issue is: http://ftp.vim.org/pub/vim/patches/7.2/7.2.010 More detailed steps to reproduce the "xclock" issue: 1, Open a new file via Vim: vim /tmp/somenewfile 2, In Vim normal mode type: :set iskeyword=;,@ 3, Switch to Vim insert mode and type/insert into file: ;xclock 4, Switch back to Vim normal mode and with cursor present on the "xclock" substring press the "K" key Actual result: The xclock command is executed / displayed. Expected result: The manual page for the 'xclock' command should be displayed. More detailed steps to reproduce the creation of "pwned" file issue: 1, Open a new file via Vim: vim /tmp/anothernewfile 2, In normal Vim mode type: :set iskeyword=1-255 3, Switch to Vim insert mode and type/insert into file: ;date->pwned 4, Switch back to Vim normal mode and with cursor present on the "date" substring press the "K" key Actual result: File with name "pwned" is created in cwd: # ls -l pwned -rw-r--r-- 1 root root 0 Oct 6 10:19 pwned Expected result: No file created. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0580.html http://rhn.redhat.com/errata/RHSA-2008-0617.html http://rhn.redhat.com/errata/RHSA-2008-0618.html Fedora (updated to upstream 7.2.060): https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587 https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644 |