Bug 238734 (CVE-2007-2438) - CVE-2007-2438 vim-7 modeline security issue
Summary: CVE-2007-2438 vim-7 modeline security issue
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-2438
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Karsten Hopp
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-02 17:34 UTC by Josh Bressers
Modified: 2019-09-29 12:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-30 19:58:03 UTC
Embargoed:


Attachments (Terms of Use)

Description Josh Bressers 2007-05-02 17:34:20 UTC
+++ This bug was initially created as a clone of Bug #238259 +++

Description of problem:
from the vim developer list:
> today somebody came to #vim, and pasted some modeline (containig joke or
> > such). He muttered something about not knowing what that means and left
> > before long. But (!) what I noticed is that feedkeys() was used as part of
> > foldexpression and it turned out that feedkeys() is allowed in sandbox,
> > which means malicious file can run arbitrary command via modeline like
> > this:
> > 
> > vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>")
> > 
> > I guess you can see the consequences. Is this known/intentional?

> That's pretty nasty.  I'll make a patch right away.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  This comment is from Bram Moolenaar, the upstream VIM maintainer

This issue is already public. Exploitable only if someone manages to get any
user to open a malicious file with vim. Even worse if that user is root ;-(
This should be fixed as fast as possible.

-- Additional comment from karsten on 2007-04-28 08:47 EST --
patch already available at 
http://marc.info/?l=vim-dev&m=117770531702496&w=2

-- Additional comment from karsten on 2007-04-30 05:13 EST --
More issues have been found:
http://tech.groups.yahoo.com/group/vimdev/message/46658
Fix available at http://tech.groups.yahoo.com/group/vimdev/message/46667

Comment 1 Josh Bressers 2007-05-02 17:44:45 UTC
This flaw also affects FC7

Comment 2 Fedora Update System 2007-05-08 02:18:13 UTC
vim-7.0.235-1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.