[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Mon, 21 Jul 2008 15:05:28 +0100
From: "Jan MinĂ¡Å." <rdancer@...ncer.org>
To: "Tomas Hoger" <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com,
"Jonathan Smith" <smithj@...ethemallocs.com>, coley@...us.mitre.org,
"Bram Moolenaar" <Bram@...lenaar.net>,
"Charles E Campbell, Jr" <drchip@...pbellfamily.biz>
Subject: Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10
On Mon, Jul 21, 2008 at 2:44 PM, Tomas Hoger <thoger@...hat.com> wrote:
> On Mon, 21 Jul 2008 12:57:48 +0100 "Jan MinĂ¡Å." <rdancer@...ncer.org>
> wrote:
>
>> Version 109 is probably too old. There has been a lot of
>> functionality added since, and I presume a lot of refactoring done
>> too. According to the [0]Netrw version history, marking files (used
>> by netrw.v2 & netrw.v3) was introduced in version 111.
>
> Agree. netrw 109 bundled with vim 7.1 does not implement mz and mc
> commands, so is not affected by .v2 and .v3. This was already
> mentioned in this thread.
>
>> On the other hand, these vulnerabilities should not depend on the Vim
>> version; the TIOCSTI method used in netrw.v4 ``test'' target may not
>> be very portable outside Un*x though.
>
> But 109 (and older) is affected by D command / .v4 issue, just the test
> case does not work with 109 out of the box. Test assumes that the
> cursor in on the line right above the one showing crafted file name,
> but that does not seem to be correct assumption for 109 (netrw version
> differences or locale changes, I haven't really investigated). See
> suggestion in my other reply.
I have updated the test suite, it tests v110 correctly as VULNERABLE now:
http://www.rdancer.org/vulnerablevim-latest.tar.bz2
Thanks.
Jan.
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux