Bug 451759 - (CVE-2008-2712) CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to execute and system
CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to exe...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=bugtraq,reported=20080615,publ...
: Security
: 461745 (view as bug list)
Depends On: 453541 453542 453543 453544 453545 453578 461745
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-17 03:49 EDT by Tomas Hoger
Modified: 2010-10-22 21:58 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-09 03:37:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Jan Minar's test suite (127.20 KB, application/x-bzip)
2008-07-11 10:50 EDT, Tomas Hoger
no flags Details

  None (edit)
Description Tomas Hoger 2008-06-17 03:49:27 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2712 to the following vulnerability:

Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to
execute arbitrary commands via Vim scripts that do not properly sanitize inputs
before invoking the execute or system functions, as demonstrated using (1)
filetype.vim, (2) zipplugin, (3) xpm.vim, (4) gzip_vim, and (5) netrw.

References:
http://www.rdancer.org/vulnerablevim.html
http://www.securityfocus.com/archive/1/archive/1/493352/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/493353/100/0/threaded
http://marc.info/?l=bugtraq&m=121345541027231&w=4
http://www.openwall.com/lists/oss-security/2008/06/16/2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486502
Comment 3 Marc Schoenefeld 2008-07-01 05:10:29 EDT
Patch available at ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.299
Comment 8 Tomas Hoger 2008-07-11 10:50:18 EDT
Created attachment 311587 [details]
Jan Minar's test suite

Downloaded from: http://www.rdancer.org/vulnerablevim.tar.bz2
At: Fri Jul 11 14:48:38 UTC 2008
Comment 9 Tomas Hoger 2008-07-14 09:45:50 EDT
Consolidated test suite tarball with test from vulnerablevim.html and
vulnerablevim-netrw.html (see bug bug #455023) available at:

  http://www.rdancer.org/vulnerablevim.2008-07-13.tar.bz2
Comment 10 Tomas Hoger 2008-07-14 09:50:28 EDT
tar.vim and zip.vim plugins are only shipped in vim 7.x versions, so those
issues only affect vim versions as shipped in Red Hat Enterprise Linux 5.

netrw test is successful on all vim versions in all versions of Red Hat
Enterprise Linux.  However, on vim versions shipped in Red Hat Enterprise Linux
2.1, 3, and 4, the problem triggered by the test case in not in netrw, but in
explorer.vim plugin.

All other issues (filetype, xpm, gzip) affect all vim versions as shipped in Red
Hat Enterprise Linux 2.1, 3, 4, and 5.
Comment 13 Tomas Hoger 2008-07-24 12:03:40 EDT
Index page with all Jan Minar's advisories:
  http://www.rdancer.org/vulnerablevim-index.html
Comment 16 Jan Lieskovsky 2008-09-11 10:01:34 EDT
*** Bug 461745 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.