Red Hat Bugzilla – Bug 461745
vim: arbitrary command execution when handling tar archives
Last modified: 2008-09-11 10:01:34 EDT
Description of problem:
A security vulnerability was discovered in the way, vim processes
the names of files, directories and tar archives. The fnameescape()
function makes the untrusted file name safe as an argument to ``execute''.
The sanitization of the provided inputs, performed by this function is not sufficient, which results into the situation,in which the code which uses the
output of the fnameescape() function is vulnerable again, i.e. the commands called by ``execute'' will in turn each interpret the untrusted file name
again. An attacker could use this flaw to execute arbitrary code when
handling tar archives.
Version-Release number of selected component (if applicable):
Vim >= 7.0 (possibly older)
http://www.rdancer.org/vulnerablevim-tarplugin.v3.html (original report)
Proposed patch 7.2c.002
*** This bug has been marked as a duplicate of bug 451759 ***