Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 73715

Summary: app-editors/vim|gvim modeline nastiness
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: agriffis, ciaran.mccreesh, corsair, hattya, kugelfang, pvdabeel, sejo, tgall, vim
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B1 [glsa] koon / 20041215
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-07 13:18:18 UTC 
Opening bug to keep track of the issue. Patches not attached.

it looks like it's possible to do some pretty nasty stuff via vim
modelines despite the existing security code.

-- The t_* settings aren't marked as P_SECURE. IMO they should be, since
by overriding these in a modeline a malicious user could seriously screw
up terminal display. Attached is vim-modeline-secure-term.patch .

-- The termcap command should probably be disallowed in modelines as
well... Attached is vim-modeline-secure-termcap.patch .

-- backupext should probably be P_SECURE as well. Otherwise, if there's
a file named "foo" and a directory named "foobar", and "foo" contains a
modeline which sets backupext to something along the lines of
"bar/../../../../../../../../../../home/fred/blah", ~fred/blah will get
created when the file is saved. This one's far worse if the user is
running a filesystem like reiser4 which doesn't differentiate between
files and directories correctly. Attacheded is
vim-modeline-secure-backupext.patch .

-- The nasty one... By passing evil values for a fileformat setting in
a modeline, it's possible to make vim source arbitrary scripts upon
startup. This would hurt on a multiuser system. Here's one way:

User 'fred' creates a file in /home/fred/evil.vim containing lots of
nastiness (for example, "system('echo alias vim=emacs >> ~/.bashrc') |
quit"). He then creates a file in some shared location with a modeline
which does something like"set ft=../../../*fred/evil". User 'joe', who
has ftplugins and modelines enabled, edits this file. This results in a
call of ":runtime!../../../*fred/evil" , which (assuming ~/.vim is in
runtimepath) expands to ~/.vim/../../../*fred/evil which
matches /home/fred/evil.vim.

It's also possible to really confuse vim just with a modeline entry like
"set ft=../../*".

I'm not sure what the best way to handle this is. One rather hackish way
is in vim-modeline-secure-filetype.patch , but that's maybe not the best
solution...
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-07 13:38:59 UTC 
*** Bug 73717 has been marked as a duplicate of this bug. ***
Comment 2 Ciaran McCreesh 2004-12-09 07:50:08 UTC 
Patch 6.3.045 fixes this and a number of similar issues. I'll put together new vim and gvim releases for this and I'll do an updated vim-core snapshot whilst I'm at it.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-09 09:00:00 UTC 
Forwarded to vendor-sec.

Please keep low profile in Changelog until they say if they want a coordinated release.
Comment 4 Ciaran McCreesh 2004-12-09 11:28:59 UTC 
app-editors/vim-6.3-r2 and app-editors/gvim-6.3-r2 updated. There's also a new app-editors/vim-core-6.3-r3 which isn't strictly necessary for this bug but it's best to keep everything in sync. Keywords are all ~arch, I'll leave it to you people to decide when to do the whole keywording thing.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-09 11:58:50 UTC 
Calling in last stable markers as this is a restricted bug.

Please mark app-editors/vim-6.3-r2:

ciaranm@gentoo.org: sparc, mips
kloeri@gentoo.org: x86, alpha
pvdabeel@gentoo.org: ppc
kugelfang@gentoo.org: amd64, s390
hattya@gentoo.org: ia64
agriffis@gentoo.org: arm
gmsoft@gentoo.org: hppa
tgall@gentoo.org: ppc64

Please mark app-editors/vim-6.3-r2:

ciaranm@gentoo.org: x86, sparc, mips
pvdabeel@gentoo.org: ppc
kloeri@gentoo.org: alpha
blubb@gentoo.org: amd64
hattya@gentoo.org: ia64
gmsoft@gentoo.org: hppa
dostrow@gentoo.org: ~ppc64

Please mark app-editors/vim-core-6.3-r3:
ciaranm@gentoo.org: x86, sparc, mips
pvdabeel@gentoo.org: ppc
kloeri@gentoo.org: alpha
kugelfang@gentoo.org: amd64, s390
hattya@gentoo.org: ia64
agriffis@gentoo.org: arm
gmsoft@gentoo.org: hppa
tgall@gentoo.org: ppc64

If you're somehow not able to mark please respond back and please propose another dev to mark stable.
Comment 6 Simon Stelling (RETIRED) gentoo-dev 2004-12-09 13:27:18 UTC 
amd64 done
Comment 7 Ciaran McCreesh 2004-12-09 13:48:31 UTC 
x86, sparc, mips done for gvim and vim-core. sparc, mips done for vim.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-10 14:52:49 UTC 
Alpha done.
Comment 9 Ciaran McCreesh 2004-12-11 10:28:56 UTC 
x86 all done.
Comment 10 Guy Martin (RETIRED) gentoo-dev 2004-12-11 12:14:46 UTC 
All done on hppa.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-12-13 01:08:33 UTC 
Ccing sejo for ppc and corsair for ppc64
Please test and mark vim vim-core and gvim stable (referencing this bug).
This is still semi-public and will remain that way until the GLSA is out.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2004-12-13 11:27:43 UTC 
app-editors/vim-6.3-r2 and app-editors/vim-core-6.3-r3 is now stable on ppc64.

there has never been a stable version of gvim on ppc64; due to bug #69453. currently app-editors/gvim-6.3-r2 is marked ~ppc64.

Markus
Comment 13 Jochen Maes (RETIRED) gentoo-dev 2004-12-14 02:33:47 UTC 
stable on ppc (all 3 packages)
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-12-14 02:41:04 UTC 
Thanks everyone.
This will be CAN-2004-1138, release is scheduled for tomorrow 14OO UTC
Comment 15 Akinori Hattori gentoo-dev 2004-12-14 02:52:46 UTC 
stable on ia64.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-12-14 05:29:25 UTC 
Default configs are not vulnerable (modelines disabled in vimrc by default), setting "B1".
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-12-15 06:03:34 UTC 
GLSA 200412-10, now public, thx everyone.