[OpenPKG-SA-2003.003] OpenPKG Security Advisory (vim)

[OpenPKG <openpkg () openpkg org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security () openpkg org                         openpkg () openpkg org
OpenPKG-SA-2003.003                                          21-Jan-2003
________________________________________________________________________

Package:             vim
Vulnerability:       arbitrary command execution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= vim-6.1.264-20021223     >= vim-6.1.266-20021224
OpenPKG 1.1          <= vim-6.1.165-1.1.0        >= vim-6.1.165-1.1.1
OpenPKG 1.0          <= vim-6.0.92-1.0.1         >= vim-6.0.92-1.0.2

Affected Releases:   Dependent Packages: none

Description:
  According to a security advisory from Georgi Guninski [0] a
  vulnerability exists in the Vim (Vi Improved) text editor [1] which
  allows arbitrary command execution using the libcall feature in
  modelines.  The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2002-1377 [2] to the problem. Both versions 6.0
  and 6.1 are affected.  The necessary patch was incorporated into the
  6.1 source tree beginning with patchlevel 265. We have backported the
  patch to the 6.0.92 and 6.1.165 releases.

  Please check whether you are affected by running "<prefix>/bin/rpm
  -q vim". If you have the "vim" package installed and its version
  is affected (see above), we recommend that you immediately upgrade
  it (see Solution). [3][4]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the binary
  RPM [4]. For the current release OpenPKG 1.1, perform the following
  operations to permanently fix the security problem (for other releases
  adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.1/UPD
  ftp> get vim-6.1.165-1.1.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig vim-6.1.165-1.1.1.src.rpm
  $ <prefix>/bin/rpm --rebuild vim-6.1.165-1.1.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/1.1.*.rpm
________________________________________________________________________

References:
  [0] http://www.guninski.com/vim1.html
  [1] http://www.vim.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/1.0/UPD/vim-6.0.92-1.0.2.src.rpm
  [6] ftp://ftp.openpkg.org/release/1.1/UPD/vim-6.1.165-1.1.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/1.0/UPD/
  [8] ftp://ftp.openpkg.org/release/1.1/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg () openpkg org>

iD8DBQE+LQmJgHWT4GPEy58RAnk6AKDfv6ITdoQQc/DaPReKpPrkjcw4wQCfV7QY
zbz/d6jfXkRWc8Uyzl0JnUk=
=JeMp
-----END PGP SIGNATURE-----