Bug 238734 - (CVE-2007-2438) CVE-2007-2438 vim-7 modeline security issue
CVE-2007-2438 vim-7 modeline security issue
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: vim (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Hopp
David Lawrence
impact=moderate,source=redhat,reporte...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-02 13:34 EDT by Josh Bressers
Modified: 2012-09-05 11:39 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-30 15:58:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-05-02 13:34:20 EDT
+++ This bug was initially created as a clone of Bug #238259 +++

Description of problem:
from the vim developer list:
> today somebody came to #vim, and pasted some modeline (containig joke or
> > such). He muttered something about not knowing what that means and left
> > before long. But (!) what I noticed is that feedkeys() was used as part of
> > foldexpression and it turned out that feedkeys() is allowed in sandbox,
> > which means malicious file can run arbitrary command via modeline like
> > this:
> > 
> > vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>")
> > 
> > I guess you can see the consequences. Is this known/intentional?

> That's pretty nasty.  I'll make a patch right away.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  This comment is from Bram Moolenaar, the upstream VIM maintainer

This issue is already public. Exploitable only if someone manages to get any
user to open a malicious file with vim. Even worse if that user is root ;-(
This should be fixed as fast as possible.

-- Additional comment from karsten@redhat.com on 2007-04-28 08:47 EST --
patch already available at 
http://marc.info/?l=vim-dev&m=117770531702496&w=2

-- Additional comment from karsten@redhat.com on 2007-04-30 05:13 EST --
More issues have been found:
http://tech.groups.yahoo.com/group/vimdev/message/46658
Fix available at http://tech.groups.yahoo.com/group/vimdev/message/46667
Comment 1 Josh Bressers 2007-05-02 13:44:45 EDT
This flaw also affects FC7
Comment 2 Fedora Update System 2007-05-07 22:18:13 EDT
vim-7.0.235-1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.