oss-sec mailing list archives
Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 5 Aug 2008 16:42:29 +0200
Hi Steven! I'll try to answer some of the questions where I can... On Thu, 31 Jul 2008 20:44:12 -0400 (EDT) "Steven M. Christey" <coley () linus mitre org> wrote:
heap overflow, demonstrated by netrw.v3 - NEW CVE assigned: CVE-2008-3432 - vim 6.2 and 6.3 (mch_expand_wildcards) - http://www.openwall.com/lists/oss-security/2008/07/15/4
I guess you can safely use 6.2.429 - 6.3.059 here, as it was identified which change introduced and which resolved the problem.
tar.vim - Report TAR-3 assignment of CVE-2008-3074 to "tarplugin" http://www.openwall.com/lists/oss-security/2008/07/10/7 - already used by rPath in advisory
Was it? There are very few public references of this id found by google. rPath link goes to their issue tracker: https://issues.rpath.com/browse/RPL-2651
zip.vim - Report ZIP-1 rdancer says "zip.vim" as well as "zipPlugin.vim"
" zip.vim: Handles browsing zipfiles " AUTOLOAD PORTION " zipPlugin.vim: Handles browsing zipfiles " PLUGIN PORTION zipPlugin.vim only seems to be an interface to functionality implemented in zip.vim. Actual issues should be in zip.vim, but terms are likely used as synonyms in the advisory.
- Vim 7.1.298 and 6.4
vim-6.4.tar.bz2 does not contain zip.vim, and it is not added by subsequent 6.4 patches ftp://ftp.vim.org/pub/vim/patches/6.4/ , I guess this should be 7.0+, just like tar.vim issues.
- Report ZIP-2 Tomas Hoger suggests "still unfixed" http://www.openwall.com/lists/oss-security/2008/07/10/7
That comment was based on Jan's advisory vulnerablevim-netrw.html with was updated to cover current state the upstream fixes, and was still listing tar and zip as vulnerable.
- CVE-2008-3075 assigned; used by rPath - since CVE-2008-2712 issues were fixed and zip.vim remains unfixed, a SPLIT from CVE-2008-2712 is reasonable
Similar to CVE-2008-3074 above.
- Report ZIP-3 Tomas Hoger says "only 7.0 and 7.1" affected
In context of GA versions, without additional patches. I'm not sure what is the current status wrt 7.1 official patches. 7.0 should be first affected, all 7.0.x should be affected.
3) Given the varying results for TAR-1 through TAR-4, should zip.vim be split from the tar issues? What about zipplugin.vim?
Given http://www.openwall.com/lists/oss-security/2008/07/08/12 , they are currently split.
4) It might be reasonable to remove item (2) from CVE-2008-2712.
Probably yes, based on first affected versions.
Looking at netrw.v2: - Report NETRW2-a rdancer says "mx" and "mz" in: http://www.rdancer.org/vulnerablevim-netrw.html NO version information provided in this advisory, but title indicates "Netrw version 125, Vim 7.2a.10" - Report NETRW2-b Tomas Hoger mentions "mz and mc" in: http://www.openwall.com/lists/oss-security/2008/07/15/4 but: mc is probably referring to netrw.v3, so not relevant here mz "should only affect 7.2 alpha"
Actually, advisory is: 1. Compression and Decompression (The ``mz'' Command) (which mentions mx and mz, context of mx is bit unclear) netrw.v2 demonstrates mz flaw. 2. Copying Files (The ``mc'' Command) demonstrated by netrw.v3 All 3 commands - mx, mz and mc are only recognized by netrw version as bundled with 7.2 alpha. These issues did not affect 7.1.x and previous.
1) What role, if any, does "mf" play (NETRW2-c)? It's listed as a "prerequisite" then nothing else is said. Does it have a vulnerability? Or does the victim need to mark a file before decompressing it?
mf is used in netrw.v[23] to mark files, before compress / copy is run on them.
3) Which combination of mx, mz, and mf is really being covered by the netrw.v2 test case?
mf mz is command sequence executed.
Looking at netrw.v3: 1) NETRW3-c is clearly different, so CVE-2008-3432 is assigned.
It was not the purpose of netrw.v3 to demonstrate this, it just accidentally uncovered this issue. Taking into account which versions are affect by this, I guess it's quite unlikely this affects anyone but us at this point in time.
2) Are NETRW3-a and NETRW3-b talking about the same issue?
Probably not. -a talks about mx and mz, but demonstrates mz. -b is about -mc. Shour be different issues.
Looking at netrw explorer.vim plugin: - Report EXP-1 "netrw" test case triggers "similar problem" in explorer.vim: http://www.openwall.com/lists/oss-security/2008/07/15/2 - in vim 6.x - Report EXP-2 "netrw.v4" test case does not affect explorer.vim 1) Does this need a separate ID? If not, which does it belong with?
Given that it affects different plugins, separate id seems to make sense wrt to the rules how CVE ids are usually assigned. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10, (continued)
- Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Steven M. Christey (Jul 08)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 10)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 12)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 15)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 16)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 16)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 16)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 10)
- Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Steven M. Christey (Jul 08)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jonathan Smith (Jul 20)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 20)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Steven M. Christey (Jul 31)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Aug 05)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 21)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Tomas Hoger (Jul 21)
- Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Jan Minář (Jul 21)
- Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Bram Moolenaar (Jul 07)