[VIM] vim editor duplicates / clarifications

Steven M. Christey coley at mitre.org
Thu Aug 23 18:52:08 UTC 2007


After some extensive discussion on vendor-sec with final consultation
with the original developer, it's been determined that 3 distinct
reports are only for 2 unique issues (CVE-wise, anyway).

In short, the vague announcement of Vim 7.1 that referred to "a
security issue" (assigned CVE-2007-2653, aka "OMG VIM VULN" in a
Jericho post to this list in May) turned out to be the official
announcement of the fix for the feedkeys()/modelines issue
(CVE-2007-2438).

During the email cexhanges, the developer confirmed that the format
string issue (CVE-2007-2953) is addressed by Patch 7.1.039 and
confirmed that this only has "user-assisted" attack scenarios.

We're keeping CVE-2007-2438 and rejecting CVE-2007-2653 due to active
usage of CVE-2007-2438.

- Steve



======================================================
Name: CVE-2007-2438
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2438
Acknowledged: yes
Announced: 20070426
Flaw: sandbox
Reference: MLIST:[vim-dev] 20070426 feedkeys() allowed in sandbox
Reference: URL:http://marc.info/?l=vim-dev&m=117762581821298&w=2
Reference: MLIST:[vim-dev] 20070428 Re: feedkeys() allowed in sandbox
Reference: URL:http://marc.info/?l=vim-dev&m=117778983714029&w=2
Reference: MLIST:[vimannounce] 20070512 Stable Vim version 7.1 has been released
Reference: URL:http://tech.groups.yahoo.com/group/vimannounce/message/178
Reference: MISC:http://tech.groups.yahoo.com/group/vimdev/message/46627
Reference: MISC:http://tech.groups.yahoo.com/group/vimdev/message/46658
Reference: CONFIRM:http://tech.groups.yahoo.com/group/vimdev/message/46645
Reference: CONFIRM:http://www.vim.org/news/news.php
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238259
Reference: BUGTRAQ:20070430 FLEA-2007-0014-1: vim
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/467202/100/0/threaded
Reference: MANDRIVA:MDKSA-2007:101
Reference: URL:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2007:101
Reference: REDHAT:RHSA-2007:0346
Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0346.html
Reference: SUSE:SUSE-SR:2007:012
Reference: URL:http://www.novell.com/linux/security/advisories/2007_12_sr.html
Reference: TRUSTIX:2007-0017
Reference: URL:http://www.trustix.org/errata/2007/0017/
Reference: UBUNTU:USN-463-1
Reference: URL:http://www.ubuntu.com/usn/usn-463-1
Reference: VIM:20070513 OMG VIM VULN
Reference: URL:http://attrition.org/pipermail/vim/2007-May/001614.html
Reference: BID:23725
Reference: URL:http://www.securityfocus.com/bid/23725
Reference: FRSIRT:ADV-2007-1599
Reference: URL:http://www.frsirt.com/english/advisories/2007/1599
Reference: SECTRACK:1018035
Reference: URL:http://www.securitytracker.com/id?1018035
Reference: SECUNIA:25024
Reference: URL:http://secunia.com/advisories/25024
Reference: SECUNIA:25159
Reference: URL:http://secunia.com/advisories/25159
Reference: SECUNIA:25182
Reference: URL:http://secunia.com/advisories/25182
Reference: SECUNIA:25255
Reference: URL:http://secunia.com/advisories/25255
Reference: SECUNIA:25367
Reference: URL:http://secunia.com/advisories/25367
Reference: SECUNIA:25432
Reference: URL:http://secunia.com/advisories/25432

The sandbox for vim allows dangerous functions such as (1) writefile,
(2) feedkeys, and (3) system, which might allow user-assisted
attackers to execute shell commands and write files via modelines.


Analysis:
ACKNOWLEDGEMENT: In a news item announcing VIM 7.1 on 20070512: "Vim
7.1 ... [2007-05-12] ... a few crashing bugs and a security issue were
fixed. For the details see the announcement. Or jump directly to the
download page. (Bram Moolenaar)."  Later feedback from the upstream
developer (and vendor-sec) proved that this vague announcement was
related to this particular issue.


======================================================
Name: CVE-2007-2653
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2653
Acknowledged: 
Announced: 
Flaw: 


** REJECT **

DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2007-2438.  Reason:
This candidate is a duplicate of CVE-2007-2438.  Notes: All CVE users
should reference CVE-2007-2438 instead of this candidate.  All
references and descriptions in this candidate have been removed to
prevent accidental usage.


======================================================
Name: CVE-2007-2953
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953
Acknowledged: yes changelog
Announced: 20070727
Flaw: format-string
Reference: BUGTRAQ:20070730 FLEA-2007-0036-1 vim vim-minimal gvim
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/475076/100/100/threaded
Reference: MISC:http://secunia.com/secunia_research/2007-66/advisory/
Reference: CONFIRM:ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.039
Reference: CONFIRM:https://issues.rpath.com/browse/RPL-1595
Reference: BID:25095
Reference: URL:http://www.securityfocus.com/bid/25095
Reference: FRSIRT:ADV-2007-2687
Reference: URL:http://www.frsirt.com/english/advisories/2007/2687
Reference: SECUNIA:25941
Reference: URL:http://secunia.com/advisories/25941
Reference: SECUNIA:26285
Reference: URL:http://secunia.com/advisories/26285
Reference: XF:vim-helptagsone-code-execution(35655)
Reference: URL:http://xforce.iss.net/xforce/xfdb/35655

Format string vulnerability in the helptags_one function in
src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows
user-assisted remote attackers to execute arbitrary code via format
string specifiers in a help-tags tag in a help file, related to the
helptags command.


Analysis:
ACKNOWLEDGEMENT: Patch 7.1.039 states: "A tag in a help file that
starts with 'help-tags' and contains a percent sign may make Vim
crash."




More information about the VIM mailing list