Bug 386303 (CVE-2010-3914)

Summary:	<app-editors/gvim-7.3.46: untrusted search path vulnerability (CVE-2010-3914)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	major	CC:	vim
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 [noglsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 13:52:20 UTC

CVE-2010-3914 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3914):
  Untrusted search path vulnerability in VIM Development Group GVim before
  7.3.034, and possibly other versions before 7.3.46, allows local users, and
  possibly remote attackers, to execute arbitrary code and conduct DLL
  hijacking attacks via a Trojan horse User32.dll or other DLL that is located
  in the same folder as a .TXT file.  NOTE: some of these details are obtained
  from third party information.


Please punt vulnerable versions.

Comment 1 Agostino Sarubbo gentoo-dev

2013-08-29 16:11:36 UTC

Cleanup is done, please go ahead with the glsa request

Comment 2 Chris Reffett (RETIRED) gentoo-dev

2013-10-24 00:57:36 UTC

I'm not clear why we care about this; it looks like this is a Windows-only vuln.

Comment 3 Yury German Gentoo Infrastructure

2013-11-05 05:33:28 UTC

(In reply to Chris Reffett from comment #2)
> I'm not clear why we care about this; it looks like this is a Windows-only
> vuln.

That was the original reason it was glsa?. The patch is clearly for windows based .dll's, but needed verification by a second set of eyes.

ftp://ftp.vim.org/pub/vim/patches/7.3/7.3.034

Comment 4 Mikle Kolyada (RETIRED) archtester

2013-11-05 07:04:02 UTC

hm, looks like windiws-releated issue, indeed.

Comment 5 Chris Reffett (RETIRED) gentoo-dev

2013-11-05 13:20:07 UTC

Okay then, bye bye bug.