hi guys, please attach a fixed abuild to this bug. Do not commit anything before the disclosure date, thanks. Vulnerability details: ---------------------- A format string error in the "helptags_one()" function in src/ex_cmds.c when running the "helptags" command can be exploited to execute arbitrary code via specially crafted help files. The "helptags" command creates a tag file from tags surrounded by asterisks in help files, and the part of the code that handles tags starting with the string "help- tags" is incorrect, leading to this vulnerability. The offending code in src/ex_cmds.c looks like this, starting from line 6353: s = ((char_u **)ga.ga_data)[i]; if (STRNCMP(s, "help-tags", 9) == 0) /* help-tags entry was added in formatted form */ fprintf(fd_tags, (char *)s); Successful exploitation requires that the user is tricked into running "helptags" on malicious data. The vulnerability is confirmed in versions 6.4 and 7.1, as well as the version included in Fedora Core 6. Other versions may also be affected. Proof of Concept: ----------------- Here is a simple PoC: $ mkdir secunia $ echo '*help-tags%.1111111111u%x%x%x%x%x%x%x%x%n*' > secunia/help.txt $ vim -c 'helptags secunia/' or $ vim :helptags secunia/ Closing comments: ----------------- We have assigned this vulnerability Secunia advisory SA25941 and the CVE identifier CVE-2007-2953. Credits should go to: Ulf Harnhammar, Secunia Research.
Created attachment 125263 [details, diff] 050_all_vim-7.1-format_str-fix.patch Hi, all vim and gvim versions in the tree are affected by this. The versions that will need revbumping are 7.1.028, 7.0.235, 7.0.174 and 6.4. The other three versions - 7.1, 7.1-r1, 7.1.002 - can be removed from the tree as their keywords are shadowed by 7.1.028. The attached patch will go into the new versions of gentoo patches and ebuilds will be modified to use it instead of the old ones. I'm not attaching any ebuilds because the change is very trivial. The patch contains another fix for the append_redir function in the same file which can be exploited in a similar way by crafting opt or fname. I guess this should be reported too. I'm a new dev and very new in the vim herd so I'll appreciate any help and/or comments to my solution and patch ;)
Comment on attachment 125263 [details, diff] 050_all_vim-7.1-format_str-fix.patch This is fixed with 7.1.039. I'm bumping vim,gvim and vim-core now.
*** Bug 186877 has been marked as a duplicate of this bug. ***
vim-7.1.042 fixes this one and needs to go stable among with vim-core-7.1.042 and gvim-7.1.042.
hey, arches please test vim-7.1.042, vim-core-7.1.042 and finally gvim-7.1.042 and mark as stable if it fit's nicely into the rest, thanks. for the log: opening bug since its public.
amd64 stable
x86 Stable sure CONFIDENTAL in topic is still accurate? ;)
All stable on sparc.
Stable for HPPA.
*** Bug 187299 has been marked as a duplicate of this bug. ***
(In reply to comment #7) > x86 Stable Nope, you need to do gvim as well.
*** Bug 187313 has been marked as a duplicate of this bug. ***
x86 stable finally
alpha/ia64 stable
Looks like ranger stabled this for ppc ...
ranger did ppc64, too.
ready for glsa decision. I vote YES.
I tend to vote no - this is a pretty obscure functionality and unlikely to be used on untrusted data.
I vote NO.
since I don't know vim very much ( cause basically I'm a emacs user :) and wrt aetius comment, finally changing my vote to NO and closing.