<<< Date Index >>>     <<< Thread Index >>>

FLEA-2007-0014-1: vim



Foresight Linux Essential Advisory: 2007-0014-1
Published: 2007-04-30

Rating: Minor

Updated Versions:
    gvim=/foresight.rpath.org@fl:1-devel//1/7.0.235-1-1
    vim=/foresight.rpath.org@fl:1-devel//1/7.0.235-1-1
    vim-minimal=/foresight.rpath.org@fl:1-devel//1/7.0.235-1-1
    group-dist=/foresight.rpath.org@fl:1-devel//1/1.2.1-0.3-2

References:
    https://issues.rpath.com/browse/RPL-1320
    http://marc.info/?t=117762599300001&r=1&w=2

Description:
Previous versions of the vim package allowed two functions, feedkeys() and writefile(), to be used in the sandbox. Functions executed via modelines in files being edited are verified by the sandbox; a user who is coerced into opening a specially-crafted file could cause the system to execute arbitrary shell code supplied by the attacker.