Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10

["Jan Minář" <rdancer () rdancer org>]

Hi!

Thanks for CCing me.  Thomas's observations are right.

On Thu, Jul 10, 2008 at 5:55 PM, Tomas Hoger <thoger () redhat com> wrote:

> obvious to me why zip and tar tests are included in the test suite.
> Maybe just to point out that those issues are still unfixed.

Indeed, I included all that had not been fixed in the test suite.

> Moreover, if you diff zipplugin directories in vulnerablevim.tar.bz2
> and vulnerablevim-netrw.tar.bz2, you will see this test did not change
> at all between the two test suites.  So CVE-2008-3075 should already
> be covered by previous CVE-2008-2712.

The zip exploit is the same.  It still has not been fixed as of Vim
7.2a.19/zip.vim v19.

> tarplugin test was updated since the first test suite to use different
> payload.  I'm not really sure if it is the same issue or not, but the
> new exploit is blocked by the previously proposed Jan's patch.  So it
> may be the same issue as described in the first advisory.  Btw,

There are two attack vectors, both fixed in the original patch of
mine.  I only updated the tarplugin exploit to use the other vector.

> CVE-2008-2712 description does not mention tar.vim issue.  It is
> described in 3.4.2.3, but its test does not seem to be run when doing
> make test for the top-most Makefile in the first test suite.

That's correct, I omitted the test from the top-most Makefile by mistake.

Hope that helps.
Jan.