lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <200806141309.m5ED9bLg058230@moolenaar.net> Date: Sat, 14 Jun 2008 15:09:37 +0200 From: Bram Moolenaar <Bram@...lenaar.net> To: "Jan Minář" <rdancer@...ncer.org> Cc: vim_dev@...glegroups.com, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Collection of Vulnerabilities in Fully Patched Vim 7.1 Jan Minar wrote: > 1. Summary > > Product : Vim -- Vi IMproved > Version : Tested with 7.1.314 and 6.4 > Impact : Arbitrary code execution > Wherefrom: Local and remote > Original : http://www.rdancer.org/vulnerablevim.html > > Improper quoting in some parts of Vim written in the Vim Script can lead to > arbitrary code execution upon opening a crafted file. Thanks to Jan for finding these problems and explaining them exhaustively. I received a note a month ago and all reported problems have been fixed. Either by patches or updates to the runtime files. Note that version 7.1.314, as reported in the Summary, does not have most of the reported problems. The problems in the plugins have also been fixed, this requires updating the runtime files. Information about that can be found at http://www.vim.org/runtime.php Patch 7.1.299 has added the fnameescape() function, which fixes the reported issues with escaping command arguments. It's not as difficult as suggested in the report. If you find any remaining or related problems, please report to me directly. That's the best way to get them fixed. -- How To Keep A Healthy Level Of Insanity: 15. Five days in advance, tell your friends you can't attend their party because you're not in the mood. /// Bram Moolenaar -- Bram@...lenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists