[Bug 240216] Re: Collection of vulnerabilities in Vim reported by rdancer
Bug Watch Updater
240216 at bugs.launchpad.net
Sun Jun 1 10:00:48 UTC 2014
Launchpad has imported 16 comments from the remote bug at
https://bugs.gentoo.org/show_bug.cgi?id=227453.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2008-06-16T15:03:54+00:00 GNUtoo wrote:
Vim Shell Command Injection Vulnerabilities see the url
Reproducible: Always
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/1
------------------------------------------------------------------------
On 2008-06-20T12:37:28+00:00 Ali Polatel wrote:
I've bumped vim-core,vim and gvim to 7.1.319.
@security: I plan to remove vim-6.4. Do you want me to mask it or will you do it?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/2
------------------------------------------------------------------------
On 2008-07-06T18:59:00+00:00 Py wrote:
ali: please proceed with the mask.
Arches, please test and mark stable app-editors/vim-core-7.1.319. Target KEYWORDS: "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/4
------------------------------------------------------------------------
On 2008-07-06T20:11:28+00:00 Bluebird wrote:
Are we supposted to just stablize vim-core or vim-core,vim and gvim?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/5
------------------------------------------------------------------------
On 2008-07-06T20:17:58+00:00 Py wrote:
(In reply to comment #3)
> Are we supposted to just stablize vim-core or vim-core,vim and gvim?
>
both of them, my mistake.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/6
------------------------------------------------------------------------
On 2008-07-06T20:21:38+00:00 Jeroen Roovers wrote:
(In reply to comment #4)
> (In reply to comment #3)
> > Are we supposted to just stablize vim-core or vim-core,vim and gvim?
> >
>
> both of them, my mistake.
All three of them.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/7
------------------------------------------------------------------------
On 2008-07-06T21:00:04+00:00 Cla-o wrote:
amd64/x86 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/8
------------------------------------------------------------------------
On 2008-07-06T21:05:33+00:00 Cla-o wrote:
Also unCC arches.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/9
------------------------------------------------------------------------
On 2008-07-06T21:45:16+00:00 Jeroen Roovers wrote:
Stable for HPPA.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/10
------------------------------------------------------------------------
On 2008-07-06T22:38:29+00:00 Fmccor wrote:
All three stable on sparc. I've been using [vim, gvim]-7.1.319 pretty
heavily for almost four weeks with no problems.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/11
------------------------------------------------------------------------
On 2008-07-07T02:56:22+00:00 Ranger-z wrote:
ppc and ppc64 done for all three pkgs
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/12
------------------------------------------------------------------------
On 2008-07-07T12:15:53+00:00 Raúl Porcel wrote:
alpha/ia64 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/13
------------------------------------------------------------------------
On 2008-07-15T16:46:28+00:00 Keytoaster wrote:
Does this version actually fix all of the vulnerabilities? Using the
test suite from http://www.rdancer.org/vulnerablevim.html I get the
following result:
-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
filetype.vim
strong : EXPLOIT FAILED
weak : EXPLOIT FAILED
zipplugin : VULNERABLE
xpm.vim
xpm : VULNERABLE
xpm2 : VULNERABLE
remote : VULNERABLE
gzip_vim : EXPLOIT FAILED
netrw : VULNERABLE
Should be noted in the GLSA I guess.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/14
------------------------------------------------------------------------
On 2008-07-17T12:15:28+00:00 Keytoaster wrote:
vim team, do you know if upstream is trying to fix the remaining issues
in the near future? if yes, we will postpone this glsa until everything
is fixed.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/15
------------------------------------------------------------------------
On 2008-08-14T08:44:21+00:00 Ali Polatel wrote:
(In reply to comment #13)
> vim team, do you know if upstream is trying to fix the remaining issues in the
> near future? if yes, we will postpone this glsa until everything is fixed.
>
{vim,gvim}-7.2 fixes this. It's in CVS.
-------------------------------------------
-------- Test results below ---------------
-------------------------------------------
Vim version 7.2
zip.vim version:
netrw.vim version:
-------------------------------------------
filetype.vim
strong : EXPLOIT FAILED
weak : EXPLOIT FAILED
tarplugin : EXPLOIT FAILED
tarplugin.updated: EXPLOIT FAILED
tarplugin.v2: EXPLOIT FAILED
zipplugin : EXPLOIT FAILED
zipplugin.v2: EXPLOIT FAILED
xpm.vim
xpm : EXPLOIT FAILED
xpm2 : EXPLOIT FAILED
remote : EXPLOIT FAILED
gzip_vim : EXPLOIT FAILED
netrw : EXPLOIT FAILED
netrw.v2 : EXPLOIT FAILED
netrw.v3 : EXPLOIT FAILED
netrw.v4 : EXPLOIT FAILED
netrw.v5 : EXPLOIT FAILED
shellescape: EXPLOIT FAILED
Reply at: https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/16
------------------------------------------------------------------------
On 2014-05-31T18:05:24+00:00 Ackle wrote:
This issue has been fixed on Security-supported arches since Aug 15,
2008. No GLSA will be issued
Reply at:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/comments/24
** Changed in: vim (Gentoo Linux)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to vim in Ubuntu.
https://bugs.launchpad.net/bugs/240216
Title:
Collection of vulnerabilities in Vim reported by rdancer
Status in “vim” package in Ubuntu:
Fix Released
Status in “vim” source package in Dapper:
Fix Released
Status in “vim” source package in Feisty:
Won't Fix
Status in “vim” source package in Gutsy:
Fix Released
Status in “vim” source package in Hardy:
Fix Released
Status in “vim” package in Gentoo Linux:
Fix Released
Bug description:
Binary package hint: vim
Multiples vulnerabilities exploitable from file content or file names have been reported here:
http://www.rdancer.org/vulnerablevim.html
Current version of Vim in Hardy is 7.1.138 which is older than the
reported vulnerable version, so is vulnerable too.
Upgrade to Vim 7.1.314 or above is recommended.
See http://groups.google.com/group/vim_dev/browse_thread/thread/0a5543c9cee7c274
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vim/+bug/240216/+subscriptions
More information about the foundations-bugs
mailing list