Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 185677 - app-editors/vim(-core?): format string vulnerability (CVE-2007-2953)
Summary: app-editors/vim(-core?): format string vulnerability (CVE-2007-2953)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
: 186877 187299 187313 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-07-17 17:22 UTC by Stefan Cornelius (RETIRED)
Modified: 2007-08-25 22:11 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
050_all_vim-7.1-format_str-fix.patch (050_all_vim-7.1-format_str-fix.patch,652 bytes, patch)
2007-07-18 14:38 UTC, Ali Polatel (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2007-07-17 17:22:00 UTC
hi guys, please attach a fixed abuild to this bug. Do not commit anything before the disclosure date, thanks.


Vulnerability details:
----------------------

A format string error in the "helptags_one()" function in src/ex_cmds.c
when running the "helptags" command can be exploited to execute
arbitrary code via specially crafted help files. The "helptags" command
creates a tag file from tags surrounded by asterisks in help files, and
the part of the code that handles tags starting with the string "help-
tags" is incorrect, leading to this vulnerability.

The offending code in src/ex_cmds.c looks like this, starting from line
6353:

            s = ((char_u **)ga.ga_data)[i];
            if (STRNCMP(s, "help-tags", 9) == 0)
                /* help-tags entry was added in formatted form */
                fprintf(fd_tags, (char *)s);

Successful exploitation requires that the user is tricked into running
"helptags" on malicious data.

The vulnerability is confirmed in versions 6.4 and 7.1, as well as the
version included in Fedora Core 6. Other versions may also be affected.


Proof of Concept:
-----------------

Here is a simple PoC:

$ mkdir secunia
$ echo '*help-tags%.1111111111u%x%x%x%x%x%x%x%x%n*' > secunia/help.txt
$ vim -c 'helptags secunia/'
or
$ vim
:helptags secunia/


Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA25941 and the CVE
identifier CVE-2007-2953.

Credits should go to:
Ulf Harnhammar, Secunia Research.
Comment 1 Ali Polatel (RETIRED) gentoo-dev 2007-07-18 14:38:47 UTC
Created attachment 125263 [details, diff]
050_all_vim-7.1-format_str-fix.patch

Hi, all vim and gvim versions in the tree are affected by this. The versions that will need revbumping are 7.1.028, 7.0.235, 7.0.174 and 6.4. The other three versions - 7.1, 7.1-r1, 7.1.002 - can be removed from the tree as their keywords are shadowed by 7.1.028.
The attached patch will go into the new versions of gentoo patches and ebuilds will be modified to use it instead of the old ones. I'm not attaching any ebuilds because the change is very trivial.
The patch contains another fix for the append_redir function in the same file which can be exploited in a similar way by crafting opt or fname. I guess this should be reported too.
I'm a new dev and very new in the vim herd so I'll appreciate any help and/or comments to my solution and patch ;)
Comment 2 Ali Polatel (RETIRED) gentoo-dev 2007-07-27 21:40:03 UTC
Comment on attachment 125263 [details, diff]
050_all_vim-7.1-format_str-fix.patch

This is fixed with 7.1.039. I'm bumping vim,gvim and vim-core now.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-29 21:28:26 UTC
*** Bug 186877 has been marked as a duplicate of this bug. ***
Comment 4 Ali Polatel (RETIRED) gentoo-dev 2007-07-30 23:24:46 UTC
vim-7.1.042 fixes this one and needs to go stable among with vim-core-7.1.042 and gvim-7.1.042.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-31 18:53:12 UTC
hey, arches please test vim-7.1.042, vim-core-7.1.042 and finally gvim-7.1.042 and mark as stable if it fit's nicely into the rest, thanks.

for the log: opening bug since its public.
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2007-07-31 19:28:20 UTC
amd64 stable
Comment 7 Markus Ullmann (RETIRED) gentoo-dev 2007-07-31 19:33:46 UTC
x86 Stable

sure CONFIDENTAL in topic is still accurate? ;)
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2007-07-31 19:50:26 UTC
All stable on sparc.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-31 20:38:58 UTC
Stable for HPPA.
Comment 10 Jakub Moc (RETIRED) gentoo-dev 2007-07-31 22:44:51 UTC
*** Bug 187299 has been marked as a duplicate of this bug. ***
Comment 11 Jakub Moc (RETIRED) gentoo-dev 2007-07-31 22:45:24 UTC
(In reply to comment #7)
> x86 Stable

Nope, you need to do gvim as well.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-01 05:58:51 UTC
*** Bug 187313 has been marked as a duplicate of this bug. ***
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-01 06:38:46 UTC
x86 stable finally
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2007-08-01 12:03:05 UTC
alpha/ia64 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-01 19:32:01 UTC
Looks like ranger stabled this for ppc ...
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2007-08-01 19:35:48 UTC
ranger did ppc64, too.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-01 19:49:59 UTC
ready for glsa decision. I vote YES.
Comment 18 Matt Drew (RETIRED) gentoo-dev 2007-08-05 10:36:47 UTC
I tend to vote no - this is a pretty obscure functionality and unlikely to be used on untrusted data.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-11 06:45:59 UTC
I vote NO.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-23 09:10:52 UTC
since I don't know vim very much ( cause basically I'm a emacs user :) and wrt aetius comment, finally changing my vote to NO and closing.