Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 21 Jul 2008 15:05:28 +0100
From: "Jan Minář" <rdancer@...ncer.org>
To: "Tomas Hoger" <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com, 
	"Jonathan Smith" <smithj@...ethemallocs.com>, coley@...us.mitre.org, 
	"Bram Moolenaar" <Bram@...lenaar.net>, 
	"Charles E Campbell, Jr" <drchip@...pbellfamily.biz>
Subject: Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10

On Mon, Jul 21, 2008 at 2:44 PM, Tomas Hoger <thoger@...hat.com> wrote:
> On Mon, 21 Jul 2008 12:57:48 +0100 "Jan Minář" <rdancer@...ncer.org>
> wrote:
>
>> Version 109 is probably too old.  There has been a lot of
>> functionality added since, and I presume a lot of refactoring done
>> too.  According to the [0]Netrw version history, marking files (used
>> by netrw.v2 & netrw.v3) was introduced in version 111.
>
> Agree.  netrw 109 bundled with vim 7.1 does not implement mz and mc
> commands, so is not affected by .v2 and .v3.  This was already
> mentioned in this thread.
>
>> On the other hand, these vulnerabilities should not depend on the Vim
>> version; the TIOCSTI method used in netrw.v4 ``test'' target may not
>> be very portable outside Un*x though.
>
> But 109 (and older) is affected by D command / .v4 issue, just the test
> case does not work with 109 out of the box.  Test assumes that the
> cursor in on the line right above the one showing crafted file name,
> but that does not seem to be correct assumption for 109 (netrw version
> differences or locale changes, I haven't really investigated).  See
> suggestion in my other reply.

I have updated the test suite, it tests v110 correctly as VULNERABLE now:

http://www.rdancer.org/vulnerablevim-latest.tar.bz2

Thanks.

Jan.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.