Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73715 - app-editors/vim|gvim modeline nastiness
Summary: app-editors/vim|gvim modeline nastiness
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa] koon / 20041215
: 73717 (view as bug list)
Depends on:
Reported: 2004-12-07 13:18 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-05-31 10:53 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-07 13:18:18 UTC
Opening bug to keep track of the issue. Patches not attached.

it looks like it's possible to do some pretty nasty stuff via vim
modelines despite the existing security code.

-- The t_* settings aren't marked as P_SECURE. IMO they should be, since
by overriding these in a modeline a malicious user could seriously screw
up terminal display. Attached is vim-modeline-secure-term.patch .

-- The termcap command should probably be disallowed in modelines as
well... Attached is vim-modeline-secure-termcap.patch .

-- backupext should probably be P_SECURE as well. Otherwise, if there's
a file named "foo" and a directory named "foobar", and "foo" contains a
modeline which sets backupext to something along the lines of
"bar/../../../../../../../../../../home/fred/blah", ~fred/blah will get
created when the file is saved. This one's far worse if the user is
running a filesystem like reiser4 which doesn't differentiate between
files and directories correctly. Attacheded is
vim-modeline-secure-backupext.patch .

-- The nasty one... By passing evil values for a fileformat setting in
a modeline, it's possible to make vim source arbitrary scripts upon
startup. This would hurt on a multiuser system. Here's one way:

User 'fred' creates a file in /home/fred/evil.vim containing lots of
nastiness (for example, "system('echo alias vim=emacs >> ~/.bashrc') |
quit"). He then creates a file in some shared location with a modeline
which does something like"set ft=../../../*fred/evil". User 'joe', who
has ftplugins and modelines enabled, edits this file. This results in a
call of ":runtime!../../../*fred/evil" , which (assuming ~/.vim is in
runtimepath) expands to ~/.vim/../../../*fred/evil which
matches /home/fred/evil.vim.

It's also possible to really confuse vim just with a modeline entry like
"set ft=../../*".

I'm not sure what the best way to handle this is. One rather hackish way
is in vim-modeline-secure-filetype.patch , but that's maybe not the best
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-07 13:38:59 UTC
*** Bug 73717 has been marked as a duplicate of this bug. ***
Comment 2 Ciaran McCreesh 2004-12-09 07:50:08 UTC
Patch 6.3.045 fixes this and a number of similar issues. I'll put together new vim and gvim releases for this and I'll do an updated vim-core snapshot whilst I'm at it.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-09 09:00:00 UTC
Forwarded to vendor-sec.

Please keep low profile in Changelog until they say if they want a coordinated release.
Comment 4 Ciaran McCreesh 2004-12-09 11:28:59 UTC
app-editors/vim-6.3-r2 and app-editors/gvim-6.3-r2 updated. There's also a new app-editors/vim-core-6.3-r3 which isn't strictly necessary for this bug but it's best to keep everything in sync. Keywords are all ~arch, I'll leave it to you people to decide when to do the whole keywording thing.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-09 11:58:50 UTC
Calling in last stable markers as this is a restricted bug.

Please mark app-editors/vim-6.3-r2: sparc, mips x86, alpha ppc amd64, s390 ia64 arm hppa ppc64

Please mark app-editors/vim-6.3-r2: x86, sparc, mips ppc alpha amd64 ia64 hppa ~ppc64

Please mark app-editors/vim-core-6.3-r3: x86, sparc, mips ppc alpha amd64, s390 ia64 arm hppa ppc64

If you're somehow not able to mark please respond back and please propose another dev to mark stable.
Comment 6 Simon Stelling (RETIRED) gentoo-dev 2004-12-09 13:27:18 UTC
amd64 done
Comment 7 Ciaran McCreesh 2004-12-09 13:48:31 UTC
x86, sparc, mips done for gvim and vim-core. sparc, mips done for vim.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-10 14:52:49 UTC
Alpha done.
Comment 9 Ciaran McCreesh 2004-12-11 10:28:56 UTC
x86 all done.
Comment 10 Guy Martin (RETIRED) gentoo-dev 2004-12-11 12:14:46 UTC
All done on hppa.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-12-13 01:08:33 UTC
Ccing sejo for ppc and corsair for ppc64
Please test and mark vim vim-core and gvim stable (referencing this bug).
This is still semi-public and will remain that way until the GLSA is out.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2004-12-13 11:27:43 UTC
app-editors/vim-6.3-r2 and app-editors/vim-core-6.3-r3 is now stable on ppc64.

there has never been a stable version of gvim on ppc64; due to bug #69453. currently app-editors/gvim-6.3-r2 is marked ~ppc64.

Comment 13 Jochen Maes (RETIRED) gentoo-dev 2004-12-14 02:33:47 UTC
stable on ppc (all 3 packages)
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-12-14 02:41:04 UTC
Thanks everyone.
This will be CAN-2004-1138, release is scheduled for tomorrow 14OO UTC
Comment 15 Akinori Hattori gentoo-dev 2004-12-14 02:52:46 UTC
stable on ia64.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-12-14 05:29:25 UTC
Default configs are not vulnerable (modelines disabled in vimrc by default), setting "B1".
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-12-15 06:03:34 UTC
GLSA 200412-10, now public, thx everyone.