Debian Bug report logs -
#435401
sandbox for vim allows attackers to execute shell commands and write files via modelines
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Tue, 31 Jul 2007 13:48:01 UTC
Severity: grave
Tags: security
Found in version vim/1:7.0-122+1etch4
Fixed in versions vim/1:7.1-022+1, vim/1:7.0-122+1etch4
Done: James Vega <jamessan@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#435401; Package vim.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: vim
Version: 1:7.1-022+1
Severity: grave
Tags: security
Justification: user security hole
Hi mates
I found this CVE[0], which states:
The sandbox for vim allows dangerous functions such as (1) writefile,
(2) feedkeys, and (3) system, which might allow user-assisted attackers
to execute shell commands and write files via modelines.
I also saw that there is an ubuntu security announce, including these
two patches[1] as a fix.
Can you please investigate, if any versions in debian are vulnerable?
Please also feel free to downgrade/close this bug, if the fix is already
in unstable.
Thanks for your efforts.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2438
[1]: http://developer.skolelinux.no/~white/security/vim/
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#435401; Package vim.
(full text, mbox, link).
Acknowledgement sent to "Taylor, Christopher PO2 USN (NCTS La Maddalena)" <taylorc@lamadd.navy.mil>:
Extra info received and forwarded to list. Copy sent to Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 435401@bugs.debian.org (full text, mbox, reply):
FrSirt states that this has been fixed as of version 7.0.235[0]. The current
version in unstable is 7.1
The version in stable is currently vulnerable.
The version in unstable does not appear to be vulnerable, as none of the
exploits I tried against it were successful.
[0]http://www.frsirt.com/english/advisories/2007/1599
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#435401; Package vim.
(full text, mbox, link).
Acknowledgement sent to James Vega <jamessan@jamessan.com>:
Extra info received and forwarded to list. Copy sent to Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #15 received at 435401@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
package vim
found 435401 1:7.0-122+1etch4
notfound 435401 1:7.1-022+1
thanks
On Mon, Aug 06, 2007 at 01:17:11PM +0200, Taylor, Christopher PO2 USN (NCTS La Maddalena) wrote:
> FrSirt states that this has been fixed as of version 7.0.235[0]. The current
> version in unstable is 7.1
>
> The version in stable is currently vulnerable.
>
> The version in unstable does not appear to be vulnerable, as none of the
> exploits I tried against it were successful.
>
> [0]http://www.frsirt.com/english/advisories/2007/1599
Thanks for taking a look at this. I'll work on getting a package ready
for the stable release and contacting the security team.
James
--
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 1:7.0-122+1etch4.
Request was from James Vega <jamessan@jamessan.com>
to control@bugs.debian.org.
(Mon, 06 Aug 2007 12:30:03 GMT) (full text, mbox, link).
Bug marked as not found in version 1:7.1-022+1.
Request was from James Vega <jamessan@jamessan.com>
to control@bugs.debian.org.
(Mon, 06 Aug 2007 12:30:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#435401; Package vim.
(full text, mbox, link).
Acknowledgement sent to kurt@roeckx.be (Kurt Roeckx):
Extra info received and forwarded to list. Copy sent to Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #24 received at 435401@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.9.6
# 7.1 shouldn't have this problem, so marking it as fixed and closing.
close 435401 1:7.1-022+1
Bug marked as fixed in version 1:7.1-022+1, send any further explanations to Steffen Joeris <steffen.joeris@skolelinux.de>
Request was from kurt@roeckx.be (Kurt Roeckx)
to control@bugs.debian.org.
(Sat, 11 Aug 2007 16:06:07 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#435401; Package vim.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #31 received at 435401@bugs.debian.org (full text, mbox, reply):
James Vega wrote:
> > FrSirt states that this has been fixed as of version 7.0.235[0]. The current
> > version in unstable is 7.1
> >
> > The version in stable is currently vulnerable.
> >
> > The version in unstable does not appear to be vulnerable, as none of the
> > exploits I tried against it were successful.
> >
> > [0]http://www.frsirt.com/english/advisories/2007/1599
>
> Thanks for taking a look at this. I'll work on getting a package ready
> for the stable release and contacting the security team.
What's the status? If you prepare an update for us, please include the fix
for ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.039 (CVE-2007-2953).
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>:
Bug#435401; Package vim.
(full text, mbox, link).
Acknowledgement sent to James Vega <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #36 received at 435401@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
package vim
clone 435401
retitle -1 Format string vulnerability possibly allows arbitrary code execution
tag -1 security
severity -1 grave
found -1 1:7.0-122+1etch4
thanks
On Fri, Aug 17, 2007 at 11:06:21PM +0200, Moritz Muehlenhoff wrote:
> James Vega wrote:
> > Thanks for taking a look at this. I'll work on getting a package ready
> > for the stable release and contacting the security team.
>
> What's the status? If you prepare an update for us, please include the fix
> for ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.039 (CVE-2007-2953).
I haven't had much free time recently. I'll get this done this weekend.
Thanks for the prod and note about the other vulnerability. I've cloned
this bug for the new vulnerability.
James
--
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]
Bug 435401 cloned as bug 438593.
Request was from James Vega <jamessan@debian.org>
to control@bugs.debian.org.
(Sat, 18 Aug 2007 02:57:02 GMT) (full text, mbox, link).
Reply sent to James Vega <jamessan@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #43 received at 435401-close@bugs.debian.org (full text, mbox, reply):
Source: vim
Source-Version: 1:7.0-122+1etch4
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
vim-common_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-common_7.0-122+1etch4_i386.deb
vim-doc_7.0-122+1etch4_all.deb
to pool/main/v/vim/vim-doc_7.0-122+1etch4_all.deb
vim-full_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-full_7.0-122+1etch4_i386.deb
vim-gnome_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-gnome_7.0-122+1etch4_i386.deb
vim-gtk_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-gtk_7.0-122+1etch4_i386.deb
vim-gui-common_7.0-122+1etch4_all.deb
to pool/main/v/vim/vim-gui-common_7.0-122+1etch4_all.deb
vim-lesstif_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-lesstif_7.0-122+1etch4_i386.deb
vim-perl_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-perl_7.0-122+1etch4_i386.deb
vim-python_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-python_7.0-122+1etch4_i386.deb
vim-ruby_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-ruby_7.0-122+1etch4_i386.deb
vim-runtime_7.0-122+1etch4_all.deb
to pool/main/v/vim/vim-runtime_7.0-122+1etch4_all.deb
vim-tcl_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-tcl_7.0-122+1etch4_i386.deb
vim-tiny_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim-tiny_7.0-122+1etch4_i386.deb
vim_7.0-122+1etch4.diff.gz
to pool/main/v/vim/vim_7.0-122+1etch4.diff.gz
vim_7.0-122+1etch4.dsc
to pool/main/v/vim/vim_7.0-122+1etch4.dsc
vim_7.0-122+1etch4_i386.deb
to pool/main/v/vim/vim_7.0-122+1etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 435401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Vega <jamessan@debian.org> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 17 Aug 2007 22:46:28 -0400
Source: vim
Binary: vim-full vim-lesstif vim-common vim-gnome vim-doc vim-runtime vim vim-gtk vim-perl vim-ruby vim-gui-common vim-tiny vim-python vim-tcl
Architecture: source all i386
Version: 1:7.0-122+1etch4
Distribution: stable-security
Urgency: high
Maintainer: Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: James Vega <jamessan@debian.org>
Description:
vim - Vi IMproved - enhanced vi editor
vim-common - Vi IMproved - Common files
vim-doc - Vi IMproved - HTML documentation
vim-full - Vi IMproved - enhanced vi editor - full fledged version
vim-gnome - Vi IMproved - enhanced vi editor - with GNOME2 GUI
vim-gtk - Vi IMproved - enhanced vi editor - with GTK2 GUI
vim-gui-common - Vi IMproved - Common GUI files
vim-lesstif - Vi IMproved - enhanced vi editor - with LessTif GUI
vim-perl - Vi IMproved - enhanced vi editor - with Perl support
vim-python - Vi IMproved - enhanced vi editor - with Python support
vim-ruby - Vi IMproved - enhanced vi editor - with Ruby support
vim-runtime - Vi IMproved - Runtime files
vim-tcl - Vi IMproved - enhanced vi editor - with TCL support
vim-tiny - Vi IMproved - enhanced vi editor - compact version
Closes: 435401 438593
Changes:
vim (1:7.0-122+1etch4) stable-security; urgency=high
.
* Add upstream patches 7.0.234 and 7.0.235 which fix CVE-2007-2438.
(Closes: #435401)
* Add upstream patch 7.1.039 which fixes CVE-2007-2953. (Closes: #438593)
Files:
cbe01a52d42f25617a4e3609b91b327f 1437 editors optional vim_7.0-122+1etch4.dsc
9ba05680b0719462f653e82720599f32 8457888 editors optional vim_7.0.orig.tar.gz
acd1e7b91a1ec5e3417118045cd8bb2e 285021 editors optional vim_7.0-122+1etch4.diff.gz
64ac83f818c9f9b3bbf40ca56b15b725 142582 editors optional vim-gui-common_7.0-122+1etch4_all.deb
b27f042fadc4507f2a4829b10e6949da 6362332 editors optional vim-runtime_7.0-122+1etch4_all.deb
c589a9ec2cd7c3c6f45f48ff58871c5a 2034356 doc optional vim-doc_7.0-122+1etch4_all.deb
81c890f5348042c2060fea9bb8368279 540270 editors important vim-tiny_7.0-122+1etch4_i386.deb
55929d92c3b2d496ba95cb2e80da1d69 913800 editors extra vim-ruby_7.0-122+1etch4_i386.deb
eadd254febb55b2a69613ebc8d710774 872952 editors extra vim-tcl_7.0-122+1etch4_i386.deb
28876441af29051e315a3c1a8b71bcca 865592 editors extra vim-gtk_7.0-122+1etch4_i386.deb
20dcd46eb38f1b32e600dddc81b8e328 859848 editors extra vim-lesstif_7.0-122+1etch4_i386.deb
8639573d18e103d6e816f9bacdc844ef 924264 editors extra vim-perl_7.0-122+1etch4_i386.deb
8ecf10dd01bb07c53aab5782db738602 917972 editors extra vim-python_7.0-122+1etch4_i386.deb
501208beae0375d1610e3cebfefcf542 868016 editors extra vim-gnome_7.0-122+1etch4_i386.deb
41be0b2741614c054fece73548cec703 947320 editors extra vim-full_7.0-122+1etch4_i386.deb
bdd2098b76d4885f28e1f6e3b7376b7d 181252 editors important vim-common_7.0-122+1etch4_i386.deb
956ef68561a71a8eed0047175dfff9d5 745158 editors optional vim_7.0-122+1etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1VXZXm3vHE4uyloRAkI8AKCw4fK0uMDLLQVqUvV04L9ltzP7wQCg7M2k
NFbDu5zTgeu1ok75rN3ay5Y=
=kFGu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 27 Dec 2007 07:25:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:37:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon