Jan Minar's test suite [1] for multiple vim vulnerabilities uncovered an old vim bug that could trigger a heap buffer overflow in mch_expand_wildcards() in os_unix.c when file or directory with specially crafted name is opened in vim. [1] http://www.rdancer.org/vulnerablevim-netrw.tar.bz2 Issue is caused by incorrect computation of memory requirements for buffer to store external command executed by vim. File / directory name is escaped / quoted before being passed to an external command, however, possible quoting is not taken into account when allocating memory. Issue was introduced in 6.2.429: http://vim.cvs.sourceforge.net/vim/vim/src/os_unix.c?view=log#rev1.104 ftp://ftp.vim.org/pub/vim/patches/6.2.429 and fixed upstream in 6.3.059: http://vim.cvs.sourceforge.net/vim/vim/src/os_unix.c?view=log#rev1.111 ftp://ftp.vim.org/pub/vim/patches/6.3/6.3.059 and later re-written for vim 7.0 to use backslash escaping instead of quoting: http://vim.cvs.sourceforge.net/vim/vim7/src/os_unix.c?r1=1.49&r2=1.50 For further details, see: http://www.openwall.com/lists/oss-security/2008/07/15/4
This issue only affects vim packages as shipped in Red Hat Enterprise Linux 3 and 4, which are based on vim 6.3.046.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0617.html