<<< Date Index >>>     <<< Thread Index >>>

OpenLinux: vim arbitrary commands execution through modelines



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenLinux: vim arbitrary commands execution through 
modelines
Advisory number:        CSSA-2004-015.0
Issue date:             2004 March 30
Cross reference:        sr889557 fz528946 erg712560 CAN-2002-1377
______________________________________________________________________________


1. Problem Description

        vim 6.0 and 6.1, and possibly other versions, allows attackers
        to execute arbitrary commands using the libcall feature in
        modelines, which are not sandboxed but may be executed when
        vim is used as an editor for other products such as mutt. 
        
        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2002-1377 to this issue.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------
        OpenLinux 3.1.1 Server          prior to vim-6.2-1.i386.rpm
                                        prior to vim-X11-6.2-1.i386.rpm
                                        prior to vim-help-6.2-1.i386.rpm
                                        prior to vim-i18n-6.2-1.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to vim-6.2-1.i386.rpm
                                        prior to vim-X11-6.2-1.i386.rpm
                                        prior to vim-help-6.2-1.i386.rpm
                                        prior to vim-i18n-6.2-1.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Unix
        users with Linux Kernel Personality can use the Caldera System
        Updater, called cupdate (or kcupdate under the KDE environment),
        to update these packages rather than downloading and installing
        them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/RPMS

        4.2 Packages

        2eaf8ff7d07ae09123dff2c16e68df5f        vim-6.2-1.i386.rpm
        b9872220a38cad8103089dfe600a188d        vim-X11-6.2-1.i386.rpm
        ec819c86427a02d6c8971ca6567efedd        vim-help-6.2-1.i386.rpm
        7ff1f641f70fc8fb216e2d683b814400        vim-i18n-6.2-1.i386.rpm

        4.3 Installation

        rpm -Fvh vim-6.2-1.i386.rpm
        rpm -Fvh vim-X11-6.2-1.i386.rpm
        rpm -Fvh vim-help-6.2-1.i386.rpm
        rpm -Fvh vim-i18n-6.2-1.i386.rpm

        4.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/SRPMS

        4.5 Source Packages

        236756ca0c61400c475c8d84622ade61        vim-6.2-1.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/RPMS

        5.2 Packages

        2ebcc5f8e7b0d893b058fc241c7844b5        vim-6.2-1.i386.rpm
        a75f8d7349cfa8e1cb6ba23a0267a7e1        vim-X11-6.2-1.i386.rpm
        f618eaf8d81f2a8ac85ad9c517c28ae5        vim-help-6.2-1.i386.rpm
        cc12e062b2f69bbf2a6c861e0da0749b        vim-i18n-6.2-1.i386.rpm

        5.3 Installation

        rpm -Fvh vim-6.2-1.i386.rpm
        rpm -Fvh vim-X11-6.2-1.i386.rpm
        rpm -Fvh vim-help-6.2-1.i386.rpm
        rpm -Fvh vim-i18n-6.2-1.i386.rpm

        5.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/SRPMS

        5.5 Source Packages

        85709bfff745aeda4f4aa090cee834e7        vim-6.2-1.src.rpm


6. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377
                
http://lists.netsys.com/pipermail/full-disclosure/2002-December/003330.html
                http://www.guninski.com/vim1.html

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr889557 fz528946
        erg712560.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


8. Acknowledgements

        SCO would like to thank  Georgi Guninski

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFAaicpbluZssSXDTERAtg7AJ9W4yP2cEe57fSBioimvf9bKPUHfQCg0aT+
ggzOutLoHFA0w4++nB9/G4U=
=4eTx
-----END PGP SIGNATURE-----