Secunia Research has discovered a vulnerability in Vim, which can be exploited by malicious people to compromise a vulnerable system. Vulnerability details: ---------------------- A format string error in the "helptags_one()" function in src/ex_cmds.c when running the "helptags" command can be exploited to execute arbitrary code via specially crafted help files. The "helptags" command creates a tag file from tags surrounded by asterisks in help files, and the part of the code that handles tags starting with the string "help- tags" is incorrect, leading to this vulnerability. The offending code in src/ex_cmds.c looks like this, starting from line 6353: s = ((char_u **)ga.ga_data)[i]; if (STRNCMP(s, "help-tags", 9) == 0) /* help-tags entry was added in formatted form */ fprintf(fd_tags, (char *)s); Successful exploitation requires that the user is tricked into running "helptags" on malicious data. The vulnerability is confirmed in versions 6.4 and 7.1, as well as the version included in Fedora Core 6. Other versions may also be affected. Proof of Concept: ----------------- Here is a simple PoC: $ mkdir secunia $ echo '*help-tags%.1111111111u%x%x%x%x%x%x%x%x%n*' > secunia/help.txt $ vim -c 'helptags secunia/' or $ vim :helptags secunia/ Closing comments: ----------------- We have assigned this vulnerability Secunia advisory SA25941 and the CVE identifier CVE-2007-2953. Credits should go to: Ulf Harnhammar, Secunia Research.
Issue is public now, lifting embargo.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0580.html http://rhn.redhat.com/errata/RHSA-2008-0617.html