Bug 467439 (CVE-2008-3076, CVE-2008-6235)
| Summary: | CVE-2008-6235 Vim netrw.vim plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | karsten, kreilly, psplicha, thoger |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-01-09 08:34:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 467453, 467454 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2008-10-17 14:19:24 UTC
This issue does not affect the versions of the Vim package, as shipped with Red Hat Enterprise Linux 2.1, 3 and 4. This issue affects the version of the Vim package as shipped with Red Hat Enterprise Linux 5 and Fedora releases of 8 and 9 (only Vim 7.0 and Vim 7.1 are vulnerable to these issues). This issue does not affect the version of the Vim package as shipped with Fedora rawhide release (already fixed in Vim 7.2 and netrw.vim 132). *** Bug 455023 has been marked as a duplicate of this bug. *** Attaching netrw.vim plugin code differences between versions v.111 and v.132
for the 'mz' command issue (the relevant affected code function is
NetrwMarkFileCompress()):
netrw.vim 111:
2705 for sfx in sort(keys(g:netrw_decompress))
2706 if fname =~ '\'.sfx.'$'
2707 " fname has a suffix indicating that its compressed; apply
associated decompression routine
2708 let exe= g:netrw_decompress[sfx]
2709 " call Decho("fname<".fname."> is compressed so decompress with
<".exe.">")
2710 if executable(exe)
2711 if a:islocal
2712 call system(exe." ".fname)
2713 else
2714 call s:RemoteSystem(exe." ".fname)
2715 endif
2716 else
2717 call netrw#ErrorMsg(s:WARNING,"unable to apply<".exe."> to
file<".fname.">",50)
2718 endif
2719 break
2720 endif
2721 endfor
2722 if exists("exe")
2723 unlet exe
2724 elseif a:islocal
2725 " fname not a compressed file, so compress it
2726 call system(g:netrw_compress." ".fname)
2727 else
2728 " fname not a compressed file, so compress it
2729 call s:RemoteSystem(g:netrw_compress." ".fname)
2730 endif
2731 endfor
netrw.v132:
3858 for sfx in sort(keys(g:netrw_decompress))
3859 if fname =~ '\'.sfx.'$'
3860 " fname has a suffix indicating that its compressed; apply
associated decompression routine
3861 let exe= s:WinPath(g:netrw_decompress[sfx])
3862 " call Decho("fname<".fname."> is compressed so decompress with
<".exe.">")
3863 if a:islocal
3864 if g:netrw_keepdir
3865 let fname= shellescape(s:ComposePath(curdir,fname))
3866 endif
3867 else
3868 let fname= shellescape(b:netrw_curdir.fname,1)
3869 endif
3870 if executable(exe)
3871 if a:islocal
3872 call system(exe." ".fname)
3873 else
3874 call s:RemoteSystem(exe." ".fname)
3875 endif
3876 else
3877 call netrw#ErrorMsg(s:WARNING,"unable to apply<".exe."> to
file<".fname.">",50)
3878 endif
3879 break
3880 endif
3881 endfor
3882 if exists("exe")
3883 unlet exe
3884 elseif a:islocal
3885 " fname not a compressed file, so compress it
3886 call system(s:WinPath(g:netrw_compress)."
".shellescape(s:ComposePath(b:netrw_curdir,fname)))
3887 else
3888 " fname not a compressed file, so compress it
3889 call s:RemoteSystem(s:WinPath(g:netrw_compress)."
".shellescape(fname))
3890 endif
3891 endfor
i.e. on Unix systems, the calls for "s:ComposePath(b:netrw_curdir,fname"
and "fname" were prefixed with
"shellescape(s:ComposePath(b:netrw_curdir,fname)"
and "shellescape(fname)" respectively.
Attaching netrw.vim plugin code differences between versions v.122 and v.132
for the 'mc' command issue (the relevant affected function is called
NetrwMarkFileCopy):
netrw.v122:
3760 if a:islocal && s:netrwmfloc
3761 " local to local copy
3762 " call Decho("local to local copy: from
b:netrw_curdir<".b:netrw_curdir."> fname<".fname."> to
s:netrwmftgt<".s:netrwmftgt.">")
3763 if executable(g:netrw_localcopycmd)
3764 " call Decho("let ret= system(".g:netrw_localcopycmd."
".s:ComposePath(b:netrw_curdir,fname)." ".s:netrwmftgt.")")
3765 let ret= system(g:netrw_localcopycmd."
".s:ComposePath(curdir,fname)." ".s:netrwmftgt)
3766 if v:shell_error < 0
3767 call netrw#ErrorMsg(s:ERROR,"command<".g:netrw_localcopycmd.">
failed, aborting",54)
3768 break
3769 endif
3770 else
3771 call netrw#ErrorMsg(s:ERROR,"command<".g:netrw_localcopycmd."> is
not executable!",57)
3772 break
3773 endif
netrw.v132:
3925 if a:islocal && s:netrwmftgt_islocal
3926 " Copy marked files, local directory to local directory
3927 " call Decho("copy from local to local")
3928 let args=
join(map(deepcopy(s:netrwmarkfilelist_{bufnr('%')}),"shellescape(b:netrw_curdir.\"/\".v:val)"))
3929 " call Decho("system(".g:netrw_localcopycmd." ".args."
".shellescape(s:netrwmftgt).")")
3930 call system(s:WinPath(g:netrw_localcopycmd)." ".args."
".shellescape(s:netrwmftgt))
3931
i.e. the relevant functions were replaced by their 'shellescape()-ed'
alternatives.
Attaching netrw.vim code differences for the 'D' command issue between versions
netrw.vim v.122 and netrw.vim v.132 - the relevant affected code function
is called NetrwLocalRmFile:
netrw.v122:
6255 if all || ok =~ 'y\%[es]' || ok == ""
6256 " call Decho("1st attempt: system(".g:netrw_local_rmdir.'
"'.rmfile.'")')
6257 call s:System("system",g:netrw_local_rmdir.' "'.rmfile.'"')
6258 " call Decho("v:shell_error=".v:shell_error)
netrw.v132:
6817 if all || ok =~ 'y\%[es]' || ok == ""
6818 " call Decho("1st attempt: system(s:WinPath(".g:netrw_local_rmdir.')
'.shellescape(rmfile).')')
6819 call system(s:WinPath(g:netrw_local_rmdir).' '.shellescape(rmfile))
6820 " call Decho("v:shell_error=".v:shell_error)
i.e. provided 'rmfile' argument was replaced with its shellescape()-ed
alternative.
Attaching netrw.vim code differences for the 'arbitrary code execution due insufficient directory name sanitization when opening directory' (http://www.rdancer.org/vulnerablevim-netrw.v5.html) between versions v.122 and v.132 -- the relevant affected code function is called BrowserMaps(). netrw.v122: 1709 if g:netrw_mousemaps == 1 1710 nnoremap <buffer> <silent> <leftmouse> <leftmouse>:call <SID>NetrwLeftmouse(1)<cr> 1711 nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call <SID>NetrwPrevWinOpen(1)<cr> 1712 nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call <SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr> 1713 exe 'nnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1714 exe 'vnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1715 endif 1716 exe 'nnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1717 exe 'vnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1718 exe 'nnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1719 exe 'vnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.b:netrw_curdir.'")<cr>' 1720 exe 'nnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>' 1721 exe 'vnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.b:netrw_curdir.'")<cr>' 1722 exe 'nnoremap <buffer> <silent> <Leader>m :call <SID>NetrwMakeDir("")<cr>' 1723 nnoremap <buffer> <F1> :he netrw-dir<cr> netrv.v132: 1734 if g:netrw_mousemaps == 1 1735 nnoremap <buffer> <silent> <leftmouse> <leftmouse>:call <SID>NetrwLeftmouse(1)<cr> 1736 nnoremap <buffer> <silent> <middlemouse> <leftmouse>:call <SID>NetrwPrevWinOpen(1)<cr> 1737 nnoremap <buffer> <silent> <s-leftmouse> <leftmouse>:call <SID>NetrwMarkFile(1,<SID>NetrwGetWord())<cr> 1738 exe 'nnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1739 exe 'vnoremap <buffer> <silent> <rightmouse> <leftmouse>:call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1740 endif 1741 exe 'nnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1742 exe 'vnoremap <buffer> <silent> <del> :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1743 exe 'nnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1744 exe 'vnoremap <buffer> <silent> D :call <SID>NetrwLocalRm("'.mapsafecurdir.'")<cr>' 1745 exe 'nnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.mapsafecurdir.'")<cr>' 1746 exe 'vnoremap <buffer> <silent> R :call <SID>NetrwLocalRename("'.mapsafecurdir.'")<cr>' 1747 exe 'nnoremap <buffer> <silent> <Leader>m :call <SID>NetrwMakeDir("")<cr>' 1748 nnoremap <buffer> <F1> :he netrw-quickhelp<cr> i.e. instead of calling unsanitized NetrwLocalRm("'.b:netrw_curdir.'") we now call its more safe NetrwLocalRm("'.mapsafecurdir.'") alternative. CVE-2008-3076 now covers all netrw.vim plugin related issues: http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.rdancer.org/vulnerablevim-netrw.v5.html The 'mz' and 'mc' issues does not affect the version of the Vim package, as shipped with Red Hat Enterprise Linux 5 (affects only Vim7.2a+). The 'D' and 'netrw.v5' issues affect the version of the Vim package, as shipped with Red Hat Enterprise Linux 5. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0580.html Fedora (updated to upstream 7.2.060): https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587 https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644 Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6235 to the following vulnerability: The Netrw plugin (netrw.vim) in Vim 7.0 and 7.1 allows user-assisted attackers to execute arbitrary commands via shell metacharacters in a filename used by the (1) "D" (delete) command or (2) b:netrw_curdir variable, as demonstrated using the netrw.v4 and netrw.v5 test cases. References: ttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6235 http://www.openwall.com/lists/oss-security/2008/10/16/2 http://www.openwall.com/lists/oss-security/2008/10/20/2 http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.rdancer.org/vulnerablevim-netrw.v5.html More explanation to comment #c9: After CVE assignment the Vim netrw.vim plugin issues were split: ------------------------------------------------------------------------ The 'mz' and 'mc' issues does not affect the version of the Vim package, as shipped with Red Hat Enterprise Linux 5 (affects only Vim7.2a+). These are covered by CVE-2008-3076. ------------------------------------------------------------------------ The 'D' and 'netrw.v5' issues affect the version of the Vim package, as shipped with Red Hat Enterprise Linux 5. These are covered by CVE-2008-6235. Adding description of CVE-2008-3076 for completeness: The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3076 http://marc.info/?l=bugtraq&m=121494431426308&w=2 http://www.openwall.com/lists/oss-security/2008/07/07/1 http://www.openwall.com/lists/oss-security/2008/07/07/4 http://www.openwall.com/lists/oss-security/2008/07/08/12 http://marc.info/?l=oss-security&m=122416184431388&w=2 http://www.openwall.com/lists/oss-security/2008/10/20/2 http://www.rdancer.org/vulnerablevim-netrw.html http://www.rdancer.org/vulnerablevim-netrw.v2.html http://www.securityfocus.com/bid/30115 |