Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 257007 (CVE-2009-0316) - <app-editors/vim-7.2.182 Untrusted search path vulnerability (CVE-2009-0316)
Summary: <app-editors/vim-7.2.182 Untrusted search path vulnerability (CVE-2009-0316)
Status: RESOLVED FIXED
Alias: CVE-2009-0316
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: CVE-2008-5983
Blocks:
  Show dependency tree
 
Reported: 2009-01-30 22:52 UTC by Stefan Behte (RETIRED)
Modified: 2014-05-31 19:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-01-30 22:52:32 UTC
CVE-2009-0316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0316):
  Untrusted search path vulnerability in the Python module in vim
  allows local users to execute arbitrary code via a Trojan horse
  Python file in the current working directory, related to a
  vulnerability in the PySys_SetArgv function (CVE-2008-5983).
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-01-30 23:40:58 UTC
I am not sure whether this bug is being tracked upstream. Please see the blocker for details and a patch example.
Comment 2 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-02-23 17:38:58 UTC
This is patched by 7.2.045, and vim-7.2.108 which contains said patch is in the tree.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 13:23:28 UTC
Jim, do you ACK =app-editors/vim-7.2.182 for stabling?
Comment 4 Jim Ramsay (lack) (RETIRED) gentoo-dev 2009-07-14 15:51:35 UTC
I do indeed ACK, thanks.

Sorry for the late response :)
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-14 21:59:45 UTC
Arches, please test and mark stable:
=app-editors/vim-7.2.182
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2009-07-14 22:50:31 UTC
What about gvim-7.2.182 & vim-core-7.2.182?  For example, vim-7.2.182 depends on vim-core-7.2.182, and normally those three all go together.  I suppose this is really a request for all of them at once, but I'll wait for your response before doing so (I have been using these pretty heavily on sparc for a couple months, so marking them stable is not a problem).
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-14 22:59:39 UTC
You are right. The whole pack, as usua:

=app-editors/vim-7.2.182
=app-editors/vim-core-7.2.182
Target keywords :"alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=app-editors/gvim-7.2.182
Target keywords :"alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2009-07-14 23:41:25 UTC
Thanks.  Sparc stable for [g]vim[-core]-7.2.182.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-15 13:09:25 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-07-15 14:11:10 UTC
alpha/arm/ia64/m68k/s390/sh stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-15 14:20:07 UTC
Stable for HPPA.
Comment 12 nixnut (RETIRED) gentoo-dev 2009-07-19 16:53:55 UTC
ppc stable
Comment 13 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-22 04:48:38 UTC
amd64 stable for those packages in comment #7
Comment 14 Brent Baude (RETIRED) gentoo-dev 2009-07-26 12:33:55 UTC
ppc64 done
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-01 12:43:53 UTC
Ready for vote, I vote YES.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-08 22:26:53 UTC
Yes, too. Will be added to the an pending vim glsa.
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 19:55:26 UTC
This issue has been fixed since Jul 26, 2009. No GLSA will be issued.