Opening bug to keep track of the issue. Patches not attached. it looks like it's possible to do some pretty nasty stuff via vim modelines despite the existing security code. -- The t_* settings aren't marked as P_SECURE. IMO they should be, since by overriding these in a modeline a malicious user could seriously screw up terminal display. Attached is vim-modeline-secure-term.patch . -- The termcap command should probably be disallowed in modelines as well... Attached is vim-modeline-secure-termcap.patch . -- backupext should probably be P_SECURE as well. Otherwise, if there's a file named "foo" and a directory named "foobar", and "foo" contains a modeline which sets backupext to something along the lines of "bar/../../../../../../../../../../home/fred/blah", ~fred/blah will get created when the file is saved. This one's far worse if the user is running a filesystem like reiser4 which doesn't differentiate between files and directories correctly. Attacheded is vim-modeline-secure-backupext.patch . -- The nasty one... By passing evil values for a fileformat setting in a modeline, it's possible to make vim source arbitrary scripts upon startup. This would hurt on a multiuser system. Here's one way: User 'fred' creates a file in /home/fred/evil.vim containing lots of nastiness (for example, "system('echo alias vim=emacs >> ~/.bashrc') | quit"). He then creates a file in some shared location with a modeline which does something like"set ft=../../../*fred/evil". User 'joe', who has ftplugins and modelines enabled, edits this file. This results in a call of ":runtime!../../../*fred/evil" , which (assuming ~/.vim is in runtimepath) expands to ~/.vim/../../../*fred/evil which matches /home/fred/evil.vim. It's also possible to really confuse vim just with a modeline entry like "set ft=../../*". I'm not sure what the best way to handle this is. One rather hackish way is in vim-modeline-secure-filetype.patch , but that's maybe not the best solution...
*** Bug 73717 has been marked as a duplicate of this bug. ***
Patch 6.3.045 fixes this and a number of similar issues. I'll put together new vim and gvim releases for this and I'll do an updated vim-core snapshot whilst I'm at it.
Forwarded to vendor-sec. Please keep low profile in Changelog until they say if they want a coordinated release.
app-editors/vim-6.3-r2 and app-editors/gvim-6.3-r2 updated. There's also a new app-editors/vim-core-6.3-r3 which isn't strictly necessary for this bug but it's best to keep everything in sync. Keywords are all ~arch, I'll leave it to you people to decide when to do the whole keywording thing.
Calling in last stable markers as this is a restricted bug. Please mark app-editors/vim-6.3-r2: ciaranm@gentoo.org: sparc, mips kloeri@gentoo.org: x86, alpha pvdabeel@gentoo.org: ppc kugelfang@gentoo.org: amd64, s390 hattya@gentoo.org: ia64 agriffis@gentoo.org: arm gmsoft@gentoo.org: hppa tgall@gentoo.org: ppc64 Please mark app-editors/vim-6.3-r2: ciaranm@gentoo.org: x86, sparc, mips pvdabeel@gentoo.org: ppc kloeri@gentoo.org: alpha blubb@gentoo.org: amd64 hattya@gentoo.org: ia64 gmsoft@gentoo.org: hppa dostrow@gentoo.org: ~ppc64 Please mark app-editors/vim-core-6.3-r3: ciaranm@gentoo.org: x86, sparc, mips pvdabeel@gentoo.org: ppc kloeri@gentoo.org: alpha kugelfang@gentoo.org: amd64, s390 hattya@gentoo.org: ia64 agriffis@gentoo.org: arm gmsoft@gentoo.org: hppa tgall@gentoo.org: ppc64 If you're somehow not able to mark please respond back and please propose another dev to mark stable.
amd64 done
x86, sparc, mips done for gvim and vim-core. sparc, mips done for vim.
Alpha done.
x86 all done.
All done on hppa.
Ccing sejo for ppc and corsair for ppc64 Please test and mark vim vim-core and gvim stable (referencing this bug). This is still semi-public and will remain that way until the GLSA is out.
app-editors/vim-6.3-r2 and app-editors/vim-core-6.3-r3 is now stable on ppc64. there has never been a stable version of gvim on ppc64; due to bug #69453. currently app-editors/gvim-6.3-r2 is marked ~ppc64. Markus
stable on ppc (all 3 packages)
Thanks everyone. This will be CAN-2004-1138, release is scheduled for tomorrow 14OO UTC
stable on ia64.
Default configs are not vulnerable (modelines disabled in vimrc by default), setting "B1".
GLSA 200412-10, now public, thx everyone.
