First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 176464
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Ali Polatel (RETIRED) <hawking@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
vim-7.0.235.ebuild vim-7.0.235.ebuild text/plain Ali Polatel (RETIRED) 2007-04-29 21:39 0000 815 bytes Details
vim-core-7.0.235.ebuild vim-core-7.0.235.ebuild text/plain Ali Polatel (RETIRED) 2007-04-29 22:47 0000 816 bytes Details
gvim-7.0.235.ebuild gvim-7.0.235.ebuild text/plain Ali Polatel (RETIRED) 2007-04-29 22:48 0000 1.12 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 176464 depends on: Show dependency tree
Bug 176464 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-04-29 14:25 0000 
feedkeys() and writefile() functions are allowed in sandbox which allows a
malicious file run arbitrary commands in a modeline-enabled vim like:
  vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>")
  vim: fdm=expr fde=writefile([""],"phantom_was_here")

 These problems have been fixed with patch-7.0.234[1] and patch-7.0.235[2]
 A temporary solution is to 'set nomodeline' in vimrc which Gentoo already has
by default.

------- Comment #1 From Ali Polatel (RETIRED) 2007-04-29 14:26:24 0000 ------- 
 oh and..
 [1] ftp://ftp.vim.org/pub/vim/patches/7.0/7.0.234
 [2] ftp://ftp.vim.org/pub/vim/patches/7.0/7.0.235
 sorry..

------- Comment #2 From Ali Polatel (RETIRED) 2007-04-29 21:39:22 0000 ------- 
Created an attachment (id=117677) [edit]
vim-7.0.235.ebuild

 I think bumping vim to version 7.0.235 is a good idea. I've created a snapshot
of 
vim patches the way gentoo packages them. It's under
http://hawking.nonlogic.org/distfiles/vim-patches-7.0.235.tar.gz
 I'm attaching updated ebuilds, basically only their names and SRC_URI is
changed.

------- Comment #3 From Ali Polatel (RETIRED) 2007-04-29 22:47:45 0000 ------- 
Created an attachment (id=117686) [edit]
vim-core-7.0.235.ebuild

------- Comment #4 From Ali Polatel (RETIRED) 2007-04-29 22:48:46 0000 ------- 
Created an attachment (id=117688) [edit]
gvim-7.0.235.ebuild

------- Comment #5 From Sune Kloppenborg Jeppesen 2007-04-30 12:31:54 0000 ------- 
vim please advise and bump as necessary.

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-04-30 12:34:42 0000 ------- 
*** Bug 176477 has been marked as a duplicate of this bug. ***

------- Comment #7 From Mike Kelly (RETIRED) 2007-04-30 14:27:25 0000 ------- 
7.0.235 is already in the tree, though currently it is not keyworded stable on
any arch. So, I guess the next step is to request keywording, correct?

------- Comment #8 From Sune Kloppenborg Jeppesen 2007-05-02 10:39:54 0000 ------- 
Sorry for being late I must have forgot to commit the last one a few days ago.

Arches please test and mark stable. Target keywords are:

vim-7.0.235.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390
sh sparc ~sparc-fbsd x86 ~x86 ~x86-fbsd"

------- Comment #9 From Raúl Porcel 2007-05-02 11:25:07 0000 ------- 
ia64 + x86 stable

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-05-02 11:44:53 0000 ------- 
armin76 just mentioned that gvim needs to go stable as well.

gvim-7.0.235.ebuild:KEYWORDS="alpha amd64 hppa ia64 mips ppc ~ppc64 sparc x86
~x86-fbsd"

------- Comment #11 From Ferris McCormick 2007-05-02 12:47:49 0000 ------- 
sparc all done for vim-core, [g]vim.

------- Comment #12 From Bryan Østergaard (RETIRED) 2007-05-02 13:52:55 0000 ------- 
Alpha done.

------- Comment #13 From Mike Kelly (RETIRED) 2007-05-02 14:16:25 0000 ------- 
app-editors/gvim needs to be marked stable at the same time or there'll be
issues for folks who have both vim and gvim installed.

------- Comment #14 From Mike Kelly (RETIRED) 2007-05-02 14:17:41 0000 ------- 
oops, sorry, just was going from old emails when i sent that. ignore me...

------- Comment #15 From Jeroen Roovers 2007-05-02 16:15:39 0000 ------- 
Stable for HPPA.

------- Comment #16 From Markus Rothe 2007-05-02 16:33:01 0000 ------- 
ppc64 stable

------- Comment #17 From Tobias Scherbaum 2007-05-03 18:46:21 0000 ------- 
ppc stable

------- Comment #18 From Daniel Gryniewicz 2007-05-04 20:13:39 0000 ------- 
amd64 done.

------- Comment #19 From Jeroen Roovers 2007-05-05 02:37:23 0000 ------- 
*** Bug 168008 has been marked as a duplicate of this bug. ***

------- Comment #20 From Sune Kloppenborg Jeppesen 2007-05-05 06:22:44 0000 ------- 
This one is ready for GLSA decision. I tend to vote NO.

------- Comment #21 From Pierre-Yves Rofes 2007-05-08 10:38:32 0000 ------- 
I vote NO as it seems that Gentoo default install protects against this.

------- Comment #22 From Mike Kelly (RETIRED) 2007-05-08 11:51:32 0000 ------- 
I'd also vote no, but I'd like a way to let users know about a more secure
replacement for vim's builtin moreline support that was just added to the tree
-- app-vim/securemodelines. I'd recommend that users disable modelines if they
have enabled them locally, and install that script instead.

Is that something more appropriate for a GWN article or somethimg?

------- Comment #23 From Sune Kloppenborg Jeppesen 2007-05-08 13:50:53 0000 ------- 
I'd say GWN + enote.

------- Comment #24 From Raphael Marichez 2007-05-08 18:06:36 0000 ------- 
I vote no too since it's not the default config, and since modeline is known to
be dangerous in some cases. OK for GWN.

Mike, i close this bug but feel free to reopen it if this is useful to you.

------- Comment #25 From Joshua Kinard 2007-05-13 06:38:17 0000 ------- 
All three stable on mips for 7.0.235.
First Last Prev Next    No search results available      Search page      Enter new bug