LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 15th, 2014
Linux Security Week: September 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Subject: [Security Announce] [ MDVSA-2008:236 ] vim Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Several vulnerabilities were found in the vim editor: A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712).
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:236
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : vim
 Date    : December 3, 2008
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 Several vulnerabilities were found in the vim editor:
 
 A number of input sanitization flaws were found in various vim
 system functions.  If a user were to open a specially crafted file,
 it would be possible to execute arbitrary code as the user running vim
 (CVE-2008-2712).
 
 Ulf Härnhammar of Secunia Research found a format string flaw in
 vim's help tags processor.  If a user were tricked into executing the
 helptags command on malicious data, it could result in the execution
 of arbitrary code as the user running vim (CVE-2008-2953).
 
 A flaw was found in how tar.vim handled TAR archive browsing.  If a
 user were to open a special TAR archive using the plugin, it could
 result in the execution of arbitrary code as the user running vim
 (CVE-2008-3074).
 
 A flaw was found in how zip.vim handled ZIP archive browsing.  If a
 user were to open a special ZIP archive using the plugin, it could
 result in the execution of arbitrary code as the user running vim
 (CVE-2008-3075).
 
 A number of security flaws were found in netrw.vim, the vim plugin
 that provides the ability to read and write files over the network.
 If a user opened a specially crafted file or directory with the netrw
 plugin, it could result in the execution of arbitrary code as the
 user running vim (CVE-2008-3076).
 
 A number of input validation flaws were found in vim's keyword and
 tag handling.  If vim looked up a document's maliciously crafted
 tag or keyword, it was possible to execute arbitary code as the user
 running vim (CVE-2008-4101).
 
 A vulnerability was found in certain versions of netrw.vim where it
 would send FTP credentials stored for an FTP session to subsequent
 FTP sessions to servers on different hosts, exposing FTP credentials
 to remote hosts (CVE-2008-4677).
 
 This update provides vim 7.2 (patchlevel 65) which corrects all of
 these issues and introduces a number of new features and bug fixes.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2953
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3074
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3075
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3076
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4101
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4677
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 9687145d46a754a50f26498399e42f84  2008.0/i586/vim-common-7.2.065-9.2mdv2008.0.i586.rpm
 5ab8b8d113ef693c07cd79f693d47638  2008.0/i586/vim-enhanced-7.2.065-9.2mdv2008.0.i586.rpm
 cf40227e84aac1a17a1a2973685e6a1f  2008.0/i586/vim-minimal-7.2.065-9.2mdv2008.0.i586.rpm
 bf9cb876e1958d7b215a7039e1c52975  2008.0/i586/vim-X11-7.2.065-9.2mdv2008.0.i586.rpm 
 7b1b039b2ba0233b6535775ecd200e6d  2008.0/SRPMS/vim-7.2.065-9.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 fa3479b036e054ce12a0e680e95f28f6  2008.0/x86_64/vim-common-7.2.065-9.2mdv2008.0.x86_64.rpm
 d1e10ebfaa89c3ca0cc72624531c6950  2008.0/x86_64/vim-enhanced-7.2.065-9.2mdv2008.0.x86_64.rpm
 a8961516b64c325bf6662b44e1384885  2008.0/x86_64/vim-minimal-7.2.065-9.2mdv2008.0.x86_64.rpm
 eb6a696807d8a2e55d9a447266081bc4  2008.0/x86_64/vim-X11-7.2.065-9.2mdv2008.0.x86_64.rpm 
 7b1b039b2ba0233b6535775ecd200e6d  2008.0/SRPMS/vim-7.2.065-9.2mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 bf1bbb5c11dc18f5b626830f83324bab  2008.1/i586/vim-common-7.2.065-9.2mdv2008.1.i586.rpm
 54426458bb7601d9b3fdfedfa16ee9c6  2008.1/i586/vim-enhanced-7.2.065-9.2mdv2008.1.i586.rpm
 ca94206e37b639a4577272d05ef10489  2008.1/i586/vim-minimal-7.2.065-9.2mdv2008.1.i586.rpm
 8b58cee3b8ccee24408c1ed78215cb89  2008.1/i586/vim-X11-7.2.065-9.2mdv2008.1.i586.rpm 
 2886ecd9e5117b6464dc82e12bc41ee6  2008.1/SRPMS/vim-7.2.065-9.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 f56a2879dfbca889824074338eca652c  2008.1/x86_64/vim-common-7.2.065-9.2mdv2008.1.x86_64.rpm
 e813a7a4126f4b5413b6a3517bb57c97  2008.1/x86_64/vim-enhanced-7.2.065-9.2mdv2008.1.x86_64.rpm
 cfc262ca8e4995d5b648c282d05f9261  2008.1/x86_64/vim-minimal-7.2.065-9.2mdv2008.1.x86_64.rpm
 dce8110e159fe8b767d596346514d1e9  2008.1/x86_64/vim-X11-7.2.065-9.2mdv2008.1.x86_64.rpm 
 2886ecd9e5117b6464dc82e12bc41ee6  2008.1/SRPMS/vim-7.2.065-9.2mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 b94e841258ba0053a8c2e1c61d378ff4  2009.0/i586/vim-common-7.2.065-9.2mdv2009.0.i586.rpm
 53b66549200b5a8a3374de12c56ca3c4  2009.0/i586/vim-enhanced-7.2.065-9.2mdv2009.0.i586.rpm
 a412c994a7d9f3111e2dfd4d629de72c  2009.0/i586/vim-minimal-7.2.065-9.2mdv2009.0.i586.rpm
 f1a2096a8b72c74ed3ef7df984491b66  2009.0/i586/vim-X11-7.2.065-9.2mdv2009.0.i586.rpm 
 49185b01a1d717513902ba49235023a0  2009.0/SRPMS/vim-7.2.065-9.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 dce4c150ca5f8beed2e6ec917ee8f36d  2009.0/x86_64/vim-common-7.2.065-9.2mdv2009.0.x86_64.rpm
 8351ee5ccbbf039649c830befb16c8b6  2009.0/x86_64/vim-enhanced-7.2.065-9.2mdv2009.0.x86_64.rpm
 25abc823231a1242ec9e00e08aeea08b  2009.0/x86_64/vim-minimal-7.2.065-9.2mdv2009.0.x86_64.rpm
 8f18e3bf52e528294a8c027227163ea0  2009.0/x86_64/vim-X11-7.2.065-9.2mdv2009.0.x86_64.rpm 
 49185b01a1d717513902ba49235023a0  2009.0/SRPMS/vim-7.2.065-9.2mdv2009.0.src.rpm

 Corporate 3.0:
 57eb3da62007c67d4dfff2184712e723  corporate/3.0/i586/vim-common-7.2.065-9.2.C30mdk.i586.rpm
 cd32782aeb6a12ff17d63436cf1b5bdd  corporate/3.0/i586/vim-enhanced-7.2.065-9.2.C30mdk.i586.rpm
 5fe6219ae51f930a61ac7719d483c4d2  corporate/3.0/i586/vim-minimal-7.2.065-9.2.C30mdk.i586.rpm
 ad522f08a5c827dc68c1c3d80dc96c05  corporate/3.0/i586/vim-X11-7.2.065-9.2.C30mdk.i586.rpm 
 5056d9e1057c60b0cc2514cfb14f6aef  corporate/3.0/SRPMS/vim-7.2.065-9.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 934038cf8d1a329cf8020895ed3db7c3  corporate/3.0/x86_64/vim-common-7.2.065-9.2.C30mdk.x86_64.rpm
 65d64cc850ebdcb6a47905c94df19437  corporate/3.0/x86_64/vim-enhanced-7.2.065-9.2.C30mdk.x86_64.rpm
 138427402ee4d0dba3931861f43b17af  corporate/3.0/x86_64/vim-minimal-7.2.065-9.2.C30mdk.x86_64.rpm
 23ab99b940c3150ea185cbe0cf7a536a  corporate/3.0/x86_64/vim-X11-7.2.065-9.2.C30mdk.x86_64.rpm 
 5056d9e1057c60b0cc2514cfb14f6aef  corporate/3.0/SRPMS/vim-7.2.065-9.2.C30mdk.src.rpm

 Corporate 4.0:
 ccad6e665824b0af02d7cf6dc244800f  corporate/4.0/i586/vim-common-7.2.065-8.2.20060mlcs4.i586.rpm
 6259e89fdff3af4591f00aee85f6408d  corporate/4.0/i586/vim-enhanced-7.2.065-8.2.20060mlcs4.i586.rpm
 a1899ec82783d087a67e598440c7d97b  corporate/4.0/i586/vim-minimal-7.2.065-8.2.20060mlcs4.i586.rpm
 1628ebe4b6bd2c0398689d8b63059ad4  corporate/4.0/i586/vim-X11-7.2.065-8.2.20060mlcs4.i586.rpm 
 ff5ce0745012df27dba7c628be9696c2  corporate/4.0/SRPMS/vim-7.2.065-8.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 2cc05e275dfda62016b2ca250bc7abac  corporate/4.0/x86_64/vim-common-7.2.065-8.2.20060mlcs4.x86_64.rpm
 12628db58e590955b4fc52b9b9da35f2  corporate/4.0/x86_64/vim-enhanced-7.2.065-8.2.20060mlcs4.x86_64.rpm
 81d3a71d955ef44e9adf0087a38b2048  corporate/4.0/x86_64/vim-minimal-7.2.065-8.2.20060mlcs4.x86_64.rpm
 01db91a3cd0d64fba00beb7ac29121ab  corporate/4.0/x86_64/vim-X11-7.2.065-8.2.20060mlcs4.x86_64.rpm 
 ff5ce0745012df27dba7c628be9696c2  corporate/4.0/SRPMS/vim-7.2.065-8.2.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 17e4eff8ebdba9763a278a2d0e2f4ca3  mnf/2.0/i586/vim-common-7.2.065-9.2.C30mdk.i586.rpm
 a32e43b8fd1beaa139c108a14685b357  mnf/2.0/i586/vim-enhanced-7.2.065-9.2.C30mdk.i586.rpm
 ccd9d76b31b85005d465a11113db862e  mnf/2.0/i586/vim-minimal-7.2.065-9.2.C30mdk.i586.rpm 
 27bd018672a8bc5aa5d15a7bc6e64dc0  mnf/2.0/SRPMS/vim-7.2.065-9.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying
FreeBSD Patches DoS Vulnerability
Rogue cell towers discovered in Washington, D.C.
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.