Re: vim security bug
- View SourceWalter Briscoe wrote:
> >I haven't read older messages yet, thus I don't know if someone[...]
> >suggested a good solution yet. This patch should fix the problem:
> Welcome back, Bram! This list has been lonely without you.Glad to be missed :-).
> I tried Christian's patch. It prevents the potentially lethal libcall.The 'foldexpr' is evaluated silently. That is to avoid that redrawing
> My test file derived from http://www.guninski.com/vim1.html so the
> attack is only made once is
> C:\wfb\vim\bld\vim61\src> nl attack.t
> 1 /* vim:set foldmethod=expr foldexpr=confirm(libcall("/lib/libc.so.6","system","/bin/ls"),"ms_sux"): */
> I think quietly refusing to do what is requested is unhelpful.
> Christian's "EMSG(_(e_sandbox))" is ineffective. Bram's patch has the
> same quietened EMSG call in check_secure(). With either patch, the
> "ms_sux" prompt is given even though the libcall is not activated.
the screen causes messages, which causes a redraw that causes messages,
etc. You could get stuck. Setting 'verbose' should give you enough
info to find out why 'foldexpr' doeesn't work as expected.
> I don't understand a couple of points:I am certainly considering releasing 6.2 soon. It's mostly a matter of
> why the internal functions suppress diagnostics;
> why internal function failure is not returned to the caller.
> Can I suggest that this bug ought to be the "catalyst" to cause vim 6.2
> to be issued? I think Georgi Guninski is to be congratulated for finding
> the gap in Vim's defences. OTOH, Bram is to be congratulated for
> continuing to support modelines. SUSV3 - the latest POSIX - has
> abandoned them as inherently insecure. I think that decision is craven.
collecting and checking all patches. I also have quite a few todo items
that should be handled. Don't hold your breath...
hundred-and-one symptoms of being an internet addict:
113. You are asked about a bus schedule, you wonder if it is 16 or 32 bits.
/// Bram Moolenaar -- Bram@... -- http://www.moolenaar.net \\\
/// Creator of Vim - Vi IMproved -- http://www.vim.org \\\
\\\ Project leader for A-A-P -- http://www.a-a-p.org ///
\\\ Lord Of The Rings helps Uganda - http://iccf-holland.org/lotr.html ///