Summary: | <app-editors/vim-core-7.2: Shell Command Injection Vulnerabilities (CVE-2008-2712) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GNUtoo |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | vim |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/30731/ | ||
Whiteboard: | A2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
GNUtoo
2008-06-16 15:03:54 UTC
I've bumped vim-core,vim and gvim to 7.1.319. @security: I plan to remove vim-6.4. Do you want me to mask it or will you do it? ali: please proceed with the mask. Arches, please test and mark stable app-editors/vim-core-7.1.319. Target KEYWORDS: "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" Are we supposted to just stablize vim-core or vim-core,vim and gvim? (In reply to comment #3) > Are we supposted to just stablize vim-core or vim-core,vim and gvim? > both of them, my mistake. (In reply to comment #4) > (In reply to comment #3) > > Are we supposted to just stablize vim-core or vim-core,vim and gvim? > > > > both of them, my mistake. All three of them. amd64/x86 stable Also unCC arches. Stable for HPPA. All three stable on sparc. I've been using [vim, gvim]-7.1.319 pretty heavily for almost four weeks with no problems. ppc and ppc64 done for all three pkgs alpha/ia64 stable Does this version actually fix all of the vulnerabilities? Using the test suite from http://www.rdancer.org/vulnerablevim.html I get the following result: ------------------------------------------- -------- Test results below --------------- ------------------------------------------- filetype.vim strong : EXPLOIT FAILED weak : EXPLOIT FAILED zipplugin : VULNERABLE xpm.vim xpm : VULNERABLE xpm2 : VULNERABLE remote : VULNERABLE gzip_vim : EXPLOIT FAILED netrw : VULNERABLE Should be noted in the GLSA I guess. vim team, do you know if upstream is trying to fix the remaining issues in the near future? if yes, we will postpone this glsa until everything is fixed. (In reply to comment #13) > vim team, do you know if upstream is trying to fix the remaining issues in the > near future? if yes, we will postpone this glsa until everything is fixed. > {vim,gvim}-7.2 fixes this. It's in CVS. ------------------------------------------- -------- Test results below --------------- ------------------------------------------- Vim version 7.2 zip.vim version: netrw.vim version: ------------------------------------------- filetype.vim strong : EXPLOIT FAILED weak : EXPLOIT FAILED tarplugin : EXPLOIT FAILED tarplugin.updated: EXPLOIT FAILED tarplugin.v2: EXPLOIT FAILED zipplugin : EXPLOIT FAILED zipplugin.v2: EXPLOIT FAILED xpm.vim xpm : EXPLOIT FAILED xpm2 : EXPLOIT FAILED remote : EXPLOIT FAILED gzip_vim : EXPLOIT FAILED netrw : EXPLOIT FAILED netrw.v2 : EXPLOIT FAILED netrw.v3 : EXPLOIT FAILED netrw.v4 : EXPLOIT FAILED netrw.v5 : EXPLOIT FAILED shellescape: EXPLOIT FAILED This issue has been fixed on Security-supported arches since Aug 15, 2008. No GLSA will be issued |