Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 14088 - app-editors/vim*
Summary: app-editors/vim*
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: x86 Linux
: Highest critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
: 46421 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-01-17 04:38 UTC by Daniel Ahlberg (RETIRED)
Modified: 2004-03-31 18:30 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
vimpatch-1-299.tar.bz2 (vimpatch-1-299.tar.bz2,213.91 KB, application/x-tbz)
2003-01-21 06:51 UTC, Daniel Ahlberg (RETIRED)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-01-17 04:38:41 UTC
Georgi Guninski security advisory #59, 2002 
  
 Some vim problems, yet still vim much better than windows 
  
 Systems affected: 
 probably default install of vim6.0/6.1 on real OSes, windows may also be  
 affected, have not tested personally 
 Debian 3.0 & Redhat 8.0 confirmed vulnerable 
 According to Solar Designer: 
 How about a "not vulnerable", for Openwall GNU/*/Linux? :-)  
  
  
 Risk: medium 
 Date: 12 December 2002 
  
 Legal Notice: 
 This Advisory is Copyright (c) 2002 Georgi Guninski. 
 You may distribute it unmodified. 
 You may not modify it and distribute it or distribute parts 
 of it without the author's written permission - this especially applies to 
 so called "vulnerabilities databases" and securityfocus, microsoft, cert 
 and mitre. 
 If you want to link to this content use the URL: 
 http://www.guninski.com/vim1.html 
 Anything in this document may change without notice. 
  
 Disclaimer: 
 The information in this advisory is believed to be true though 
 it may be false. 
 The opinions expressed in this advisory and program are my own and 
 not of any company. The usual standard disclaimer applies, 
 especially the fact that Georgi Guninski is not liable for any damages 
 caused by direct or  indirect use of the information or functionality 
 provided by this advisory or program. Georgi Guninski bears no 
 responsibility for content or misuse of this advisory or program or 
 any derivatives thereof. 
  
 Description: 
 Opening a specially crafted text file with vim can execute arbitrary shell 
 commands and pass parameters to them. 
 Some exploit scenarios include mail user agents which use vim as editor 
 (mutt) or examining log files with vim. The malicous text should be near 
 the begining or the end of the file which mitigates the risk. 
  
 Details: 
 The problem are so called modelines, which can execute some commands in 
 vim, though they are intended to be sandboxed. 
  
 Consider the following file (may be wrapped): 
  
 
------------------------ 
 /* vim:set foldmethod=expr: */ 
 /* vim:set foldexpr=confirm(libcall("/lib/libc.so.6","system","/bin/ls"),"ms_sux"): */ 
  
 vim better than windoze 
  
  
 ------------------------ 
  
 
 Workaround/Solution: 
 Put the following in your ~/.vimrc or better in a system wide config file: 
  
 set modelines=0 
  
 It disables modelines without breaking significant functionality - there is 
 no compatibility in this stuff between vim and emacs anyway. 
  
 Even when/if vim is fixed, I strongly recommend keeping this solution to 
 prevent from similar exploits in the future. Scripting sux - check windows 
 history. 
  
 Emacs addicts are recommended to disable local variables which may pose 
 similar threat by putting the following in ~/.emacs 
  
 ;; disable local variables 
 (setq enable-local-variables nil) 
  
  
 Vendor status: 
 vim.org and some vendors were notified on Mon, 25 Nov 2002 
  
 Quote: 
 "Daddy, why are we hiding?" 
 "We use vi, son.  They use emacs." 
  
 Anyway, this was written in vim :) 
  
 Regards, 
 Georgi Guninski 
 http://www.guninski.com 
  
 :wq
Comment 1 Daniel Ahlberg (RETIRED) gentoo-dev 2003-01-21 04:51:24 UTC
Ryan, Would it be safe to create a new vimpatch-1-300.tar.bz2 with all patches 
except for Win32 patches and make a new revision based on the latest vim* 
ebuilds? 
 
The single patch to fix this is 265. 
Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev 2003-01-21 06:51:40 UTC
Created attachment 7500 [details]
vimpatch-1-299.tar.bz2

Set of patches that applies to vim-core, vim and gvim
Comment 3 Ryan Phillips (RETIRED) gentoo-dev 2003-01-21 12:08:46 UTC
I added patches 1-300 to portage and tweaked the default vimrc and gvimrc files
to include the modelines=0.
Comment 4 Ryan Phillips (RETIRED) gentoo-dev 2003-01-21 12:10:19 UTC
This bug should be fixed... Should a GLSA be written up?
Comment 5 Phil Richards 2003-01-21 14:13:05 UTC
Hmm, well, the portage tree and ebuild have been updated (2003-01-21 20:08 UTC),
but that introduces a slight problem when the new patch doesn't appear to exist
in either portage or on the ftp servers...

phil

derisoft root # emerge -u --deep vim gvim
Calculating dependencies ...done!
>>> emerge (1 of 3) app-editors/vim-core-6.1-r4 to /
>>> Downloading
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/vimpatch-1-300.tar.bz2
--19:51:52-- 
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/vimpatch-1-300.tar.bz2
           => `/usr/portage/distfiles/vimpatch-1-300.tar.bz2'
Resolving www.ibiblio.org... done.
Connecting to www.ibiblio.org[152.2.210.81]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
19:51:52 ERROR 404: Not Found.

>>> Downloading http://www.ibiblio.org/gentoo/distfiles/vimpatch-1-300.tar.bz2
--19:51:52--  http://www.ibiblio.org/gentoo/distfiles/vimpatch-1-300.tar.bz2
           => `/usr/portage/distfiles/vimpatch-1-300.tar.bz2'
Resolving www.ibiblio.org... done.
Connecting to www.ibiblio.org[152.2.210.81]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location:
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/vimpatch-1-300.tar.bz2
[following]
--19:51:52-- 
http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/vimpatch-1-300.tar.bz2
           => `/usr/portage/distfiles/vimpatch-1-300.tar.bz2'
Connecting to www.ibiblio.org[152.2.210.81]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
19:51:53 ERROR 404: Not Found.

!!! Couldn't download vimpatch-1-300.tar.bz2. Aborting.
Comment 6 Ryan Phillips (RETIRED) gentoo-dev 2003-01-21 15:19:47 UTC
true.... It hadn't been mirrored yet... Appears to be there now.
Comment 7 Daniel Ahlberg (RETIRED) gentoo-dev 2003-01-22 06:11:29 UTC
unmasked and glsa sent. 
Comment 8 Björn Lindström 2003-03-01 15:13:13 UTC
Setting modelines in /etc/vim/g?vimrc means you _can't_ set modelines in your ~/.vimrc

That's broken.
Comment 9 Aron Griffis (RETIRED) gentoo-dev 2004-03-31 18:30:24 UTC
*** Bug 46421 has been marked as a duplicate of this bug. ***