Debian: DSA 1364-1 Moderate: Multiple Vim Remote Execution Threats
debian
September 1, 2007
Several vulnerabilities have been discovered in the vim editor
Summary
Ulf Harnhammar discovered that a format string flaw in helptags_one() from
src/ex_cmds.c (triggered through the "helptags" command) can lead to the
execution of arbitrary code.
CVE-2007-2438
Editors often provide a way to embed editor configuration commands (aka
modelines) which are executed once a file is opened. Harmful commands
are filtered by a sandbox mechanism. It was discovered that function
calls to writefile(), feedkeys() and system() were not filtered, allowing
shell command execution with a carefully crafted file opened in vim.
For the oldstable distribution (sarge) these problems have been fixed in
version 6.3-071+1sarge2. Sarge is not affected by CVE-2007-2438.
For the stable distribution (etch) these problems have been fixed
in version 7.0-122+1etch3.
For the unstable distribution (sid) these problems have been fixed in
version 7.1-056+1.
We recommend that you upgrade your vim packages.
Upgrade Instructions
- -------------------...
PREVIOUS
NEXT
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!