Bug 451759 (CVE-2008-2712) - CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to execute and system
Summary: CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to exe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-2712
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
: 461745 (view as bug list)
Depends On: Engineering453541 Engineering453542 Engineering453543 Engineering453544 Engineering453545 Engineering453578 461745
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-17 07:49 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-09 08:37:05 UTC

Attachments (Terms of Use)
Jan Minar's test suite (127.20 KB, application/x-bzip)
2008-07-11 14:50 UTC, Tomas Hoger 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0580 0 normal SHIPPED_LIVE Moderate: vim security update 2008-11-25 08:41:07 UTC
Red Hat Product Errata RHSA-2008:0617 0 normal SHIPPED_LIVE Moderate: vim security update 2008-11-25 08:57:54 UTC
Red Hat Product Errata RHSA-2008:0618 0 normal SHIPPED_LIVE Moderate: vim security update 2008-11-25 09:00:16 UTC

Description Tomas Hoger 2008-06-17 07:49:27 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2712 to the following vulnerability:

Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to
execute arbitrary commands via Vim scripts that do not properly sanitize inputs
before invoking the execute or system functions, as demonstrated using (1)
filetype.vim, (2) zipplugin, (3) xpm.vim, (4) gzip_vim, and (5) netrw.

References:
http://www.rdancer.org/vulnerablevim.html
http://www.securityfocus.com/archive/1/archive/1/493352/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/493353/100/0/threaded
http://marc.info/?l=bugtraq&m=121345541027231&w=4
http://www.openwall.com/lists/oss-security/2008/06/16/2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486502
Comment 3 Marc Schoenefeld 2008-07-01 09:10:29 UTC 
Patch available at ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.299
Comment 8 Tomas Hoger 2008-07-11 14:50:18 UTC 
Created attachment 311587 [details]
Jan Minar's test suite

Downloaded from: http://www.rdancer.org/vulnerablevim.tar.bz2
At: Fri Jul 11 14:48:38 UTC 2008
Comment 9 Tomas Hoger 2008-07-14 13:45:50 UTC 
Consolidated test suite tarball with test from vulnerablevim.html and
vulnerablevim-netrw.html (see bug bug #455023) available at:

  http://www.rdancer.org/vulnerablevim.2008-07-13.tar.bz2
Comment 10 Tomas Hoger 2008-07-14 13:50:28 UTC 
tar.vim and zip.vim plugins are only shipped in vim 7.x versions, so those
issues only affect vim versions as shipped in Red Hat Enterprise Linux 5.

netrw test is successful on all vim versions in all versions of Red Hat
Enterprise Linux.  However, on vim versions shipped in Red Hat Enterprise Linux
2.1, 3, and 4, the problem triggered by the test case in not in netrw, but in
explorer.vim plugin.

All other issues (filetype, xpm, gzip) affect all vim versions as shipped in Red
Hat Enterprise Linux 2.1, 3, 4, and 5.
Comment 13 Tomas Hoger 2008-07-24 16:03:40 UTC 
Index page with all Jan Minar's advisories:
  http://www.rdancer.org/vulnerablevim-index.html
Comment 16 Jan Lieskovsky 2008-09-11 14:01:34 UTC 
*** Bug 461745 has been marked as a duplicate of this bug. ***
Comment 18 Red Hat Product Security 2009-01-09 08:37:05 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0580.html
  http://rhn.redhat.com/errata/RHSA-2008-0617.html
  http://rhn.redhat.com/errata/RHSA-2008-0618.html

Fedora (updated to upstream 7.2.060): 
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644
Note You need to log in before you can comment on or make changes to this bug.