Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Opening bug to keep track of the issue. Patches not attached. it looks like it's possible to do some pretty nasty stuff via vim modelines despite the existing security code. -- The t_* settings aren't marked as P_SECURE. IMO they should be, since by overriding these in a modeline a malicious user could seriously screw up terminal display. Attached is vim-modeline-secure-term.patch . -- The termcap command should probably be disallowed in modelines as well... Attached is vim-modeline-secure-termcap.patch . -- backupext should probably be P_SECURE as well. Otherwise, if there's a file named "foo" and a directory named "foobar", and "foo" contains a modeline which sets backupext to something along the lines of "bar/../../../../../../../../../../home/fred/blah", ~fred/blah will get created when the file is saved. This one's far worse if the user is running a filesystem like reiser4 which doesn't differentiate between files and directories correctly. Attacheded is vim-modeline-secure-backupext.patch . -- The nasty one... By passing evil values for a fileformat setting in a modeline, it's possible to make vim source arbitrary scripts upon startup. This would hurt on a multiuser system. Here's one way: User 'fred' creates a file in /home/fred/evil.vim containing lots of nastiness (for example, "system('echo alias vim=emacs >> ~/.bashrc') | quit"). He then creates a file in some shared location with a modeline which does something like"set ft=../../../*fred/evil". User 'joe', who has ftplugins and modelines enabled, edits this file. This results in a call of ":runtime!../../../*fred/evil" , which (assuming ~/.vim is in runtimepath) expands to ~/.vim/../../../*fred/evil which matches /home/fred/evil.vim. It's also possible to really confuse vim just with a modeline entry like "set ft=../../*". I'm not sure what the best way to handle this is. One rather hackish way is in vim-modeline-secure-filetype.patch , but that's maybe not the best solution...
*** Bug 73717 has been marked as a duplicate of this bug. ***
Patch 6.3.045 fixes this and a number of similar issues. I'll put together new vim and gvim releases for this and I'll do an updated vim-core snapshot whilst I'm at it.
Forwarded to vendor-sec. Please keep low profile in Changelog until they say if they want a coordinated release.
app-editors/vim-6.3-r2 and app-editors/gvim-6.3-r2 updated. There's also a new app-editors/vim-core-6.3-r3 which isn't strictly necessary for this bug but it's best to keep everything in sync. Keywords are all ~arch, I'll leave it to you people to decide when to do the whole keywording thing.
Calling in last stable markers as this is a restricted bug. Please mark app-editors/vim-6.3-r2: ciaranm@gentoo.org: sparc, mips kloeri@gentoo.org: x86, alpha pvdabeel@gentoo.org: ppc kugelfang@gentoo.org: amd64, s390 hattya@gentoo.org: ia64 agriffis@gentoo.org: arm gmsoft@gentoo.org: hppa tgall@gentoo.org: ppc64 Please mark app-editors/vim-6.3-r2: ciaranm@gentoo.org: x86, sparc, mips pvdabeel@gentoo.org: ppc kloeri@gentoo.org: alpha blubb@gentoo.org: amd64 hattya@gentoo.org: ia64 gmsoft@gentoo.org: hppa dostrow@gentoo.org: ~ppc64 Please mark app-editors/vim-core-6.3-r3: ciaranm@gentoo.org: x86, sparc, mips pvdabeel@gentoo.org: ppc kloeri@gentoo.org: alpha kugelfang@gentoo.org: amd64, s390 hattya@gentoo.org: ia64 agriffis@gentoo.org: arm gmsoft@gentoo.org: hppa tgall@gentoo.org: ppc64 If you're somehow not able to mark please respond back and please propose another dev to mark stable.
amd64 done
x86, sparc, mips done for gvim and vim-core. sparc, mips done for vim.
Alpha done.
x86 all done.
All done on hppa.
Ccing sejo for ppc and corsair for ppc64 Please test and mark vim vim-core and gvim stable (referencing this bug). This is still semi-public and will remain that way until the GLSA is out.
app-editors/vim-6.3-r2 and app-editors/vim-core-6.3-r3 is now stable on ppc64. there has never been a stable version of gvim on ppc64; due to bug #69453. currently app-editors/gvim-6.3-r2 is marked ~ppc64. Markus
stable on ppc (all 3 packages)
Thanks everyone. This will be CAN-2004-1138, release is scheduled for tomorrow 14OO UTC
stable on ia64.
Default configs are not vulnerable (modelines disabled in vimrc by default), setting "B1".
GLSA 200412-10, now public, thx everyone.
