Bug#320017: marked as done (vim: Arbitrary code execution in modelines (CAN-2005-2368))

Debian Bug Tracking System owner at bugs.debian.org
Sat Dec 17 07:48:04 UTC 2005


Your message dated Fri, 16 Dec 2005 23:24:46 -0800
with message-id <E1EnWQw-0007I5-In at spohr.debian.org>
and subject line Bug#320017: fixed in vim 1:6.3-071+1sarge1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Jul 2005 12:34:24 +0000
>From martin at piware.de Tue Jul 26 05:34:15 2005
Return-path: <martin at piware.de>
Received: from mail01.pironet-ndh.com (mail.pironet-ndh.com) [194.64.31.10] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1DxOdF-0000hM-00; Tue, 26 Jul 2005 05:34:01 -0700
Received: from mail.fbn-dd.de (mail.fbn-dd.de [195.227.105.178])
	by mail.pironet-ndh.com (Postfix) with ESMTP id B9E5455244F;
	Tue, 26 Jul 2005 14:33:27 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de (192-168-0-1.transfer-000.intranet.fbn-dd.de [192.168.0.1])
	by mail.fbn-dd.de (Postfix) with ESMTP
	id 631492637E; Tue, 26 Jul 2005 14:33:38 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by sonne.intranet.fbn-dd.de (Postfix) with ESMTP
	id 6C42D2010E; Tue, 26 Jul 2005 14:33:27 +0200 (CEST)
Received: from sonne.intranet.fbn-dd.de (localhost [127.0.0.1])
	by localhost (AvMailGate-2.0.1.16) id 02908-0C583C8E;
	Tue, 26 Jul 2005 14:33:26 +0200
Received: from localhost.localdomain (10-28-130-200.intranet-28-130.fbn-dd.de [10.28.130.200])
	by sonne.intranet.fbn-dd.de (Postfix) with ESMTP
	id DD1612010E; Tue, 26 Jul 2005 14:33:25 +0200 (CEST)
Received: by localhost.localdomain (Postfix, from userid 1000)
	id 851793F08; Tue, 26 Jul 2005 14:33:31 +0200 (CEST)
Date: Tue, 26 Jul 2005 14:33:31 +0200
From: Martin Pitt <martin.pitt at canonical.com>
To: submit at bugs.debian.org
Cc: security at debian.org
Subject: vim: Arbitrary code execution in modelines
Message-ID: <20050726123331.GA16500 at piware.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.16; AVE: 6.31.1.0; VDF: 6.31.1.21; host: sonne)
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02


--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: vim
Version: 1:6.3-078+1
Severity: grave
Tags: security

Hi!

Georgi Guninski found another modeline vuln in vim:

  http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html=20

I already asked for a CAN number, I'll forward it when I get one.

You can get the Ubuntu debdiff from

  http://patches.ubuntu.com/patches/vim.code-modelines.diff

for fixing sarge and possibly woody. For unstable, you should probably
just upgrade to the latest upstream version.

Thanks,

Martin

--=20
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFC5i2bDecnbV4Fd/IRAhcDAKDY1E876wIPsI4EuiH27IzZ/2xbOACg0ny0
tcbxgqgezHDP/8Tk6lg+y6I=
=dvVP
-----END PGP SIGNATURE-----

--EVF5PPMfhYS0aIcm--

---------------------------------------
Received: (at 320017-close) by bugs.debian.org; 17 Dec 2005 07:33:14 +0000
>From katie at ftp-master.debian.org Fri Dec 16 23:33:14 2005
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EnWQw-0007I5-In; Fri, 16 Dec 2005 23:24:46 -0800
From: Norbert Tretkowski <nobse at debian.org>
To: 320017-close at bugs.debian.org
X-Katie: $Revision: 1.17 $
Subject: Bug#320017: fixed in vim 1:6.3-071+1sarge1
Message-Id: <E1EnWQw-0007I5-In at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Fri, 16 Dec 2005 23:24:46 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: vim
Source-Version: 1:6.3-071+1sarge1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-common_6.3-071+1sarge1_all.deb
  to pool/main/v/vim/vim-common_6.3-071+1sarge1_all.deb
vim-doc_6.3-071+1sarge1_all.deb
  to pool/main/v/vim/vim-doc_6.3-071+1sarge1_all.deb
vim-full_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim-full_6.3-071+1sarge1_i386.deb
vim-gnome_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim-gnome_6.3-071+1sarge1_i386.deb
vim-gtk_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim-gtk_6.3-071+1sarge1_i386.deb
vim-lesstif_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim-lesstif_6.3-071+1sarge1_i386.deb
vim-perl_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim-perl_6.3-071+1sarge1_i386.deb
vim-python_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim-python_6.3-071+1sarge1_i386.deb
vim-ruby_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim-ruby_6.3-071+1sarge1_i386.deb
vim-tcl_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim-tcl_6.3-071+1sarge1_i386.deb
vim_6.3-071+1sarge1.diff.gz
  to pool/main/v/vim/vim_6.3-071+1sarge1.diff.gz
vim_6.3-071+1sarge1.dsc
  to pool/main/v/vim/vim_6.3-071+1sarge1.dsc
vim_6.3-071+1sarge1_i386.deb
  to pool/main/v/vim/vim_6.3-071+1sarge1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 320017 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse at debian.org> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 30 Jul 2005 12:16:45 +0200
Source: vim
Binary: vim-full vim-lesstif vim-common vim-doc vim-gnome vim vim-gtk vim-perl vim-tiny vim-ruby vim-python vim-tcl
Architecture: source i386 all
Version: 1:6.3-071+1sarge1
Distribution: stable
Urgency: high
Maintainer: Debian VIM Maintainers <pkg-vim-maintainers at lists.alioth.debian.org>
Changed-By: Norbert Tretkowski <nobse at debian.org>
Description: 
 vim        - Vi IMproved - enhanced vi editor
 vim-common - Vi IMproved - Common files
 vim-doc    - Vi IMproved - Documentation files
 vim-full   - Vi IMproved - full fledged version of the enhanced vi editor
 vim-gnome  - Vi IMproved - GNOME2 Version
 vim-gtk    - Vi IMproved - GTK2 Version
 vim-lesstif - Vi IMproved - LessTif Version
 vim-perl   - Vi IMproved, with perl scripting support
 vim-python - Vi IMproved, with python scripting support
 vim-ruby   - Vi IMproved, with ruby scripting support
 vim-tcl    - Vi IMproved, with tcl scripting support
Closes: 320017
Changes: 
 vim (1:6.3-071+1sarge1) stable; urgency=high
 .
   * New upstream patches (081 and 082), see README.gz for details.
     + 6.3.081, 6.3.082: Fix arbitrary shell commands execution by wrapping
       them in glob() or expand() function calls in modelines. (CAN-2005-2368)
       (closes: #320017)
Files: 
 c2918b1403a0e65c2eff698ce4eecae7 1376 editors optional vim_6.3-071+1sarge1.dsc
 3f48e9c3587057edac690af1e9cdf17f 261802 editors optional vim_6.3-071+1sarge1.diff.gz
 59c871aef36cea8d608cc4f69ff2b8e5 1649430 editors optional vim-doc_6.3-071+1sarge1_all.deb
 d3119cb474dff02d0dbe807875763fd8 3424524 editors optional vim-common_6.3-071+1sarge1_all.deb
 0084fd78daca198dfdc48c25a4e92933 707166 editors optional vim_6.3-071+1sarge1_i386.deb
 7a263feabd3d37cd8b398564b03e6cb1 730326 editors extra vim-perl_6.3-071+1sarge1_i386.deb
 a6a5d4aa1c85c32efff464334d9cf9cf 722894 editors extra vim-python_6.3-071+1sarge1_i386.deb
 de1c847134f11690d239eba30800ab09 718696 editors extra vim-ruby_6.3-071+1sarge1_i386.deb
 374f49e821bfef4b2f68fda83bdd732d 722524 editors extra vim-tcl_6.3-071+1sarge1_i386.deb
 c9db8ce0d84d369cda86492488456858 715114 editors extra vim-gtk_6.3-071+1sarge1_i386.deb
 8b14c87d7757ba43760e9ec5561e8c48 657400 editors extra vim-lesstif_6.3-071+1sarge1_i386.deb
 d40f876fe5c73238f3598a9f7cba83d5 717116 editors extra vim-gnome_6.3-071+1sarge1_i386.deb
 9e5a429e2d74714e5c3660381af6394b 751146 editors extra vim-full_6.3-071+1sarge1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC61tBr/RnCw96jQERAhKrAJ42nxUBKM+emlaDnbfCH1AfLuW5eACcCPvR
a+JS+a2/OrXKeVbCtCAijYk=
=1jxx
-----END PGP SIGNATURE-----




More information about the pkg-vim-maintainers mailing list