Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Georgi Guninski security advisory #59, 2002 Some vim problems, yet still vim much better than windows Systems affected: probably default install of vim6.0/6.1 on real OSes, windows may also be affected, have not tested personally Debian 3.0 & Redhat 8.0 confirmed vulnerable According to Solar Designer: How about a "not vulnerable", for Openwall GNU/*/Linux? :-) Risk: medium Date: 12 December 2002 Legal Notice: This Advisory is Copyright (c) 2002 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission - this especially applies to so called "vulnerabilities databases" and securityfocus, microsoft, cert and mitre. If you want to link to this content use the URL: http://www.guninski.com/vim1.html Anything in this document may change without notice. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: Opening a specially crafted text file with vim can execute arbitrary shell commands and pass parameters to them. Some exploit scenarios include mail user agents which use vim as editor (mutt) or examining log files with vim. The malicous text should be near the begining or the end of the file which mitigates the risk. Details: The problem are so called modelines, which can execute some commands in vim, though they are intended to be sandboxed. Consider the following file (may be wrapped): ------------------------ /* vim:set foldmethod=expr: */ /* vim:set foldexpr=confirm(libcall("/lib/libc.so.6","system","/bin/ls"),"ms_sux"): */ vim better than windoze ------------------------ Workaround/Solution: Put the following in your ~/.vimrc or better in a system wide config file: set modelines=0 It disables modelines without breaking significant functionality - there is no compatibility in this stuff between vim and emacs anyway. Even when/if vim is fixed, I strongly recommend keeping this solution to prevent from similar exploits in the future. Scripting sux - check windows history. Emacs addicts are recommended to disable local variables which may pose similar threat by putting the following in ~/.emacs ;; disable local variables (setq enable-local-variables nil) Vendor status: vim.org and some vendors were notified on Mon, 25 Nov 2002 Quote: "Daddy, why are we hiding?" "We use vi, son. They use emacs." Anyway, this was written in vim :) Regards, Georgi Guninski http://www.guninski.com :wq
Ryan, Would it be safe to create a new vimpatch-1-300.tar.bz2 with all patches except for Win32 patches and make a new revision based on the latest vim* ebuilds? The single patch to fix this is 265.
Created an attachment (id=7500) [details] vimpatch-1-299.tar.bz2 Set of patches that applies to vim-core, vim and gvim
I added patches 1-300 to portage and tweaked the default vimrc and gvimrc files to include the modelines=0.
This bug should be fixed... Should a GLSA be written up?
Hmm, well, the portage tree and ebuild have been updated (2003-01-21 20:08 UTC), but that introduces a slight problem when the new patch doesn't appear to exist in either portage or on the ftp servers... phil derisoft root # emerge -u --deep vim gvim Calculating dependencies ...done! >>> emerge (1 of 3) app-editors/vim-core-6.1-r4 to / >>> Downloading http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/vimpatch-1-300.tar.bz2 --19:51:52-- http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/vimpatch-1-300.tar.bz2 => `/usr/portage/distfiles/vimpatch-1-300.tar.bz2' Resolving www.ibiblio.org... done. Connecting to www.ibiblio.org[152.2.210.81]:80... connected. HTTP request sent, awaiting response... 404 Not Found 19:51:52 ERROR 404: Not Found. >>> Downloading http://www.ibiblio.org/gentoo/distfiles/vimpatch-1-300.tar.bz2 --19:51:52-- http://www.ibiblio.org/gentoo/distfiles/vimpatch-1-300.tar.bz2 => `/usr/portage/distfiles/vimpatch-1-300.tar.bz2' Resolving www.ibiblio.org... done. Connecting to www.ibiblio.org[152.2.210.81]:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/vimpatch-1-300.tar.bz2 [following] --19:51:52-- http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/vimpatch-1-300.tar.bz2 => `/usr/portage/distfiles/vimpatch-1-300.tar.bz2' Connecting to www.ibiblio.org[152.2.210.81]:80... connected. HTTP request sent, awaiting response... 404 Not Found 19:51:53 ERROR 404: Not Found. !!! Couldn't download vimpatch-1-300.tar.bz2. Aborting.
true.... It hadn't been mirrored yet... Appears to be there now.
unmasked and glsa sent.
Setting modelines in /etc/vim/g?vimrc means you _can't_ set modelines in your ~/.vimrc That's broken.
*** Bug 46421 has been marked as a duplicate of this bug. ***
