Bug 455455 - (CVE-2008-3432) CVE-2008-3432 vim: heap buffer overflow in mch_expand_wildcards()
CVE-2008-3432 vim: heap buffer overflow in mch_expand_wildcards()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,reported=20080714,publi...
: Security
Depends On: 453541 453542 453543
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-15 11:58 EDT by Tomas Hoger
Modified: 2016-03-04 06:46 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-09 03:36:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-15 11:58:35 EDT
Jan Minar's test suite [1] for multiple vim vulnerabilities uncovered an old vim
bug that could trigger a heap buffer overflow in mch_expand_wildcards() in
os_unix.c when file or directory with specially crafted name is opened in vim.

  [1] http://www.rdancer.org/vulnerablevim-netrw.tar.bz2

Issue is caused by incorrect computation of memory requirements for buffer to
store external command executed by vim.  File / directory name is escaped /
quoted before being passed to an external command, however, possible quoting is
not taken into account when allocating memory.

Issue was introduced in 6.2.429:
  http://vim.cvs.sourceforge.net/vim/vim/src/os_unix.c?view=log#rev1.104
  ftp://ftp.vim.org/pub/vim/patches/6.2.429

and fixed upstream in 6.3.059:
  http://vim.cvs.sourceforge.net/vim/vim/src/os_unix.c?view=log#rev1.111
  ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.059

and later re-written for vim 7.0 to use backslash escaping instead of quoting:
  http://vim.cvs.sourceforge.net/vim/vim7/src/os_unix.c?r1=1.49&r2=1.50

For further details, see:
  http://www.openwall.com/lists/oss-security/2008/07/15/4
Comment 1 Tomas Hoger 2008-07-15 11:59:54 EDT
This issue only affects vim packages as shipped in Red Hat Enterprise Linux 3
and 4, which are based on vim 6.3.046.
Comment 3 Red Hat Product Security 2009-01-09 03:36:36 EST
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0617.html

Note You need to log in before you can comment on or make changes to this bug.