Bug#291125: marked as done (vim: temporary file vulnerabilities (CAN-2005-0069))
Debian Bug Tracking System
owner@bugs.debian.org
Sun, 03 Apr 2005 06:03:25 -0700
Your message dated Sun, 03 Apr 2005 08:32:09 -0400
with message-id <E1DI4Gv-00056l-00@newraff.debian.org>
and subject line Bug#289560: fixed in vim 6.1.018-1woody1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Jan 2005 21:48:15 +0000
>From joey@kitenet.net Tue Jan 18 13:48:14 2005
Return-path: <joey@kitenet.net>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cr1Cw-0008RO-00; Tue, 18 Jan 2005 13:48:14 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 1837017E9E
for <submit@bugs.debian.org>; Tue, 18 Jan 2005 21:48:13 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 4F33C6F23C; Tue, 18 Jan 2005 16:50:17 -0500 (EST)
Date: Tue, 18 Jan 2005 16:50:17 -0500
From: Joey Hess <joeyh@debian.org>
To: submit@bugs.debian.org
Subject: vim: temporary file vulnerabilities (CAN-2005-0069)
Message-ID: <20050118215016.GA6420@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--XF85m9dhOBO43t/C
Content-Type: multipart/mixed; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline
--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: vim
Version: 1:6.3-054+1
Severity: grave
Tags: patch security
As described in the Ubuntu advisory below, vim's tcltags and vimspell
scripts use temp files insecurely. I've attached a patch I extraced from
the Ubuntu diff.
----- Forwarded message from Martin Pitt <martin.pitt@canonical.com> -----
=46rom: Martin Pitt <martin.pitt@canonical.com>
Date: Tue, 18 Jan 2005 17:56:58 +0100
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Subject: [USN-61-1] vim vulnerabilities
User-Agent: Mutt/1.5.6+20040907i
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-61-1 January 18, 2005
vim vulnerabilities
CAN-2005-0069
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
kvim
vim
vim-gnome
vim-gtk
vim-lesstif
vim-perl
vim-python
vim-tcl
The problem can be corrected by upgrading the affected package to
version 1:6.3-025+1ubuntu2.2. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
Javier Fern=E1ndez-Sanguino Pe=F1a noticed that the auxillary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim).
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2.diff.gz
Size/MD5: 425421 ee7e4653fb70fd45329bf5773e610ad6
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2.dsc
Size/MD5: 1122 9bd9428dd29c8aa562f4b97566b9a05a
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3.orig.tar.gz
Size/MD5: 5624622 de1c964ceedbc13538da87d2d73fd117
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.3-025+1u=
buntu2.2_all.deb
Size/MD5: 3421084 8dc7b200376add6ccb2896e2f6e80e0d
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.3-025+1ubun=
tu2.2_all.deb
Size/MD5: 1646686 2c2716a1dad40612baaaf28ebc0de3a6
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
ntu2.2_amd64.deb
Size/MD5: 2586 1e0b1528b70e54e2bcff3a02acaacbc5
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
untu2.2_amd64.deb
Size/MD5: 805722 51093d7843d5fb20ece35d2f53eadb0d
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
ubuntu2.2_amd64.deb
Size/MD5: 802452 d4fd55aca188063434361f5674805dec
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
25+1ubuntu2.2_amd64.deb
Size/MD5: 784100 1d477c5f09466e8942d0f7da3c221afd
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
1ubuntu2.2_amd64.deb
Size/MD5: 809126 646c31a0d612b398943b4c2a42c9b6f9
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
5+1ubuntu2.2_amd64.deb
Size/MD5: 802470 ede70bb09d39b7571fae1192900b0385
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
ubuntu2.2_amd64.deb
Size/MD5: 801160 aa65781693eca8d06230bc5f8ee29463
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2_amd64.deb
Size/MD5: 765120 b5425b1b087b9528e7e4a9ef25493299
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
ntu2.2_i386.deb
Size/MD5: 2590 edbd9dc0be6acaea44ee02e09c6e5c3e
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
untu2.2_i386.deb
Size/MD5: 702656 7a12cb5196a1257eae527f5b231d763d
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
ubuntu2.2_i386.deb
Size/MD5: 700006 486ea88f3d0a2c4eb1804c09bca8418b
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
25+1ubuntu2.2_i386.deb
Size/MD5: 682462 61c39ffed3017081974a3af522b61959
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
1ubuntu2.2_i386.deb
Size/MD5: 707674 05989ac6496d7a1db524b68bd1acd313
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
5+1ubuntu2.2_i386.deb
Size/MD5: 700022 09e7ebbe082c99520d11fa33277cc212
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
ubuntu2.2_i386.deb
Size/MD5: 699634 673329baa7cd9aca70cca9f87943a628
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2_i386.deb
Size/MD5: 680130 305b1d85bbdb52dd9869a21664049be3
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
ntu2.2_powerpc.deb
Size/MD5: 2586 f56083ef36048c9b94c41a37c35633dc
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
untu2.2_powerpc.deb
Size/MD5: 787984 e38f3d9674200796e39438ece635ebf7
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
ubuntu2.2_powerpc.deb
Size/MD5: 785338 bdb6dd908d78a1172a431b4dbbea97f5
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
25+1ubuntu2.2_powerpc.deb
Size/MD5: 769822 b4dc7592d9a49fa63488ff35b7f9b97d
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
1ubuntu2.2_powerpc.deb
Size/MD5: 792362 76ae3cbe76e78757cd82b08b8ebe2aa8
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
5+1ubuntu2.2_powerpc.deb
Size/MD5: 785354 c4e418a1fba8015c2416b662a77a257f
http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
ubuntu2.2_powerpc.deb
Size/MD5: 784868 c9f9251376c1cb48552fd8012acbec7c
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2_powerpc.deb
Size/MD5: 754620 c69a3dc15fddab0bad774759dd3ea6ae
----- End forwarded message -----
--=20
see shy jo
--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vim.tmpfile"
Content-Transfer-Encoding: quoted-printable
diff -urN vim63/runtime/tools/tcltags vim63.new/runtime/tools/tcltags
--- vim63/runtime/tools/tcltags 1999-08-01 14:01:46.000000000 +0200
+++ vim63.new/runtime/tools/tcltags 2005-01-18 16:25:24.452393560 +0100
@@ -8,7 +8,8 @@
program_version=3D"0.3"
program_author=3D"Darren Hiebert"
author_email=3D"darren@hiebert.com"
-tmp_tagfile=3D/tmp/${program_name}.$$
+tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || exit 1
+trap "rm -rf $tmp_tagfile" 0 1 2 3 9 11 13 15
=20
usage=3D"\
Usage: $program_name [-au] [-{f|o} tagfile] [--format=3Dn] file(s)
diff -urN vim63/runtime/tools/vimspell.sh vim63.new/runtime/tools/vimspell.=
sh
--- vim63/runtime/tools/vimspell.sh 1999-08-01 14:01:46.000000000 +0200
+++ vim63.new/runtime/tools/vimspell.sh 2005-01-18 16:20:40.774519152 +0100
@@ -13,9 +13,7 @@
# March 1999
=20
INFILE=3D$1
-OUTFILE=3D/tmp/vimspell.$$
-# if you have "tempfile", use the following line
-#OUTFILE=3D`tempfile`
+OUTFILE=3D`mktemp -t vimspellXXXXXX` || exit 1
=20
#
# local spellings
--CE+1k2dSO48ffgeK--
--XF85m9dhOBO43t/C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB7YSXd8HHehbQuO8RAkcwAJwKqEvPHJIcA35dIGiAPHBzzjEGuwCfYPZ+
U6tUcStJTCtIfROCYYq/Jwg=
=PeGK
-----END PGP SIGNATURE-----
--XF85m9dhOBO43t/C--
---------------------------------------
Received: (at 289560-close) by bugs.debian.org; 3 Apr 2005 12:46:43 +0000
>From katie@ftp-master.debian.org Sun Apr 03 05:46:43 2005
Return-path: <katie@ftp-master.debian.org>
Received: from gluck.debian.org [192.25.206.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DI4V1-0002Nl-00; Sun, 03 Apr 2005 05:46:43 -0700
Received: from newraff.debian.org [208.185.25.31] (mail)
by gluck.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DI4V0-0007P4-00; Sun, 03 Apr 2005 06:46:42 -0600
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DI4Gv-00056l-00; Sun, 03 Apr 2005 08:32:09 -0400
From: Norbert Tretkowski <nobse@debian.org>
To: 289560-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#289560: fixed in vim 6.1.018-1woody1
Message-Id: <E1DI4Gv-00056l-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 03 Apr 2005 08:32:09 -0400
Delivered-To: 289560-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: vim
Source-Version: 6.1.018-1woody1
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
vim-gtk_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-gtk_6.1.018-1woody1_i386.deb
vim-perl_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-perl_6.1.018-1woody1_i386.deb
vim-python_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-python_6.1.018-1woody1_i386.deb
vim-ruby_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-ruby_6.1.018-1woody1_i386.deb
vim-tcl_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim-tcl_6.1.018-1woody1_i386.deb
vim_6.1.018-1woody1.diff.gz
to pool/main/v/vim/vim_6.1.018-1woody1.diff.gz
vim_6.1.018-1woody1.dsc
to pool/main/v/vim/vim_6.1.018-1woody1.dsc
vim_6.1.018-1woody1_i386.deb
to pool/main/v/vim/vim_6.1.018-1woody1_i386.deb
vim_6.1.018.orig.tar.gz
to pool/main/v/vim/vim_6.1.018.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 289560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse@debian.org> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: Norbert Tretkowski <nobse@debian.org>
Description:
vim - Vi IMproved - enhanced vi editor
vim-gtk - Vi IMproved - GTK version
vim-perl - Vi IMproved, with perl scripting support
vim-python - Vi IMproved, with python scripting support
vim-ruby - Vi IMproved, with ruby scripting support
vim-tcl - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes:
vim (6.1.018-1woody1) stable; urgency=medium
.
* CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
vulnerabilities related to the use of options in modelines.
(closes: #286223)
* CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
* Set maintainer address to project mailinglist on alioth and added myself to
uploaders.
Files:
1cfdd09715be69c8df993ad9e662b92f 804 editors optional vim_6.1.018-1woody1.dsc
a72ece837a192262ef9daf29566fd6c1 4430373 editors optional vim_6.1.018.orig.tar.gz
776f9a74f34ba52f9d4040323657d7df 30282 editors optional vim_6.1.018-1woody1.diff.gz
e7e1230281e4d71f7e6c51011ea6a426 3751082 editors optional vim_6.1.018-1woody1_i386.deb
fb8c979819a1699b50b12840d2ddb243 552054 editors optional vim-gtk_6.1.018-1woody1_i386.deb
992e0ee6c3ad8156a35a8767b9fb354e 562010 editors optional vim-perl_6.1.018-1woody1_i386.deb
f58e67bf101ae8aa3139f30c7948ff56 559472 editors optional vim-python_6.1.018-1woody1_i386.deb
b45ce4151f0877ad52c7f65dd38d622a 556476 editors optional vim-ruby_6.1.018-1woody1_i386.deb
5692dbb7cdf79c4e9f346c72d605c76d 559632 editors optional vim-tcl_6.1.018-1woody1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCT99Cr/RnCw96jQERArr/AJ0WFx40y2sGLzF6eSat3Ta/PS5adgCgik7T
MjjF6BRIAGXVK1fxNnCqtPg=
=ZUIQ
-----END PGP SIGNATURE-----