Taken from the advisory: 3. VULNERABILITY In statements such as the ones in ``$VIMRUNTIME/autoload/tar.vim'' on lines 163, 308, 368, 407, and 419 (tar.vim version 20 (2008-07-30)): 163 exe "r ".fnameescape(a:tarfile) 308 exe "cd ".fnameescape(tmpdir) 368 exe "w! ".fnameescape(fname) 407 exe "e! ".fnameescape(tarfile) 419 exe "cd ".fnameescape(curdir) fnameescape() makes the untrusted file name safe as an argument to ``execute''. However, the commands called by ``execute'' will in turn each interpret the untrusted file name again. This can be still used for arbitrary command execution. Another level of sanitizing/escaping is needed in order to make the statements safe. 5. FIX Fixed by patch 7.2c.002[2]: fnameescape() was updated to escape a leading '+' and '>', and a single '-'.
{vim,gvim}-7.2 are in CVS.
See also http://www.rdancer.org/vulnerablevim-tarplugin-update.html (it looks like vim-7.2 is vulnerable, although I didn't test)
Changed title because based on link above latest vim in portage *is* vulnerable, and this version number could be misleading (sorry if I'm wrong).
This patch fix it, but it's in 7.2c.002 http://groups.google.com/group/vim_dev/msg/80882b9ee9293139. vim herd, is it possible to port it to 7.2 stable? please advise
7.2c.002 was a pre-release of 7.2, so 7.2 and all later versions already contain this fix. I think the problem is that according to http://www.rdancer.org/vulnerablevim-tarplugin-update.html, not all possible exploits were addressed by this 7.2c.002 patch. I'm not entirely clear if there is actually a fix available to this 'update' analysis.
According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3074 vim-7.3 is not vulnerable, and is already stabilized. Can anyone confirm that? There is also a very similar vulnerability in the zip plugin, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3075 . That one seems also fixed in vim-7.3.
I can confirm that the current stable vim (7.3.50) passes all the vulnerability tests in http://www.rdancer.org/vulnerablevim.tar.bz2: ------------------------------------------- -------- Test results below --------------- ------------------------------------------- Vim version 7.3, included patches: 1-50 zip.vim version: v23 netrw.vim version: v140 ------------------------------------------- filetype.vim strong : EXPLOIT FAILED weak : EXPLOIT FAILED tarplugin : EXPLOIT FAILED tarplugin.updated: EXPLOIT FAILED tarplugin.v2: EXPLOIT FAILED zipplugin : EXPLOIT FAILED zipplugin.v2: EXPLOIT FAILED xpm.vim xpm : EXPLOIT FAILED xpm2 : EXPLOIT FAILED remote : EXPLOIT FAILED gzip_vim : EXPLOIT FAILED netrw : EXPLOIT FAILED netrw.v2 : EXPLOIT FAILED netrw.v3 : EXPLOIT FAILED netrw.v4 : EXPLOIT FAILED netrw.v5 : EXPLOIT FAILED shellescape: EXPLOIT FAILED
Thanks, folks. Added to existing GLSA request.
This issue has been fixed since Aug 15, 2008. No GLSA will be issued.
