Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
CVE-2008-4101 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4101): Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.
I am not able to reproduce this issue, vim herd?
Steps to reproduce: Open a new file in vim. Type in http://www.google.co.uk/search?q=&xclock&. Press V (capital), thereby selecting the whole line in visual mode. Press K (capital), thereby looking up the selection. As a result, xclock is launched.
{gvim,vim,vim-core}-7.2.021 are in CVS.
Given that I'm running 7.2.021 and am still able to reproduce it as described in comment #2, I assume not all issues are fixed?
(In reply to comment #4) > Given that I'm running 7.2.021 and am still able to reproduce it as described > in comment #2, I assume not all issues are fixed? > That doesn't surprise me much. There might be something I'm missing about the way vim is built in gentoo, but it looks like the fix (patch 7.2.010) is never applied. Not only because I can't seem to find it anywhere among the patches that actually are applied, but also because I can happily cd to $S and apply the patch myself.
