Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 Jul 2008 20:44:12 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Jan Minar <rdancer@...ncer.org>, Tomas Hoger <thoger@...hat.com>
cc: oss-security@...ts.openwall.com, smithj@...ethemallocs.com,
        coley@...us.mitre.org, Bram Moolenaar <Bram@...lenaar.net>,
        "Charles E Campbell, Jr" <drchip@...pbellfamily.biz>
Subject: Re: Re: More arbitrary code executions in Netrw
 version 125, Vim 7.2a.10


All,

My head and shoulders genuinely hurt from trying to figure this out.
Sorry for the delay.

I don't think explaining how CVEs work will help in this extremely complex
situation.

I have a number of questions, some of which are based on the newest
advisories that rdancer released...

- Steve



************************************************************************
************************************************************************
This section is about issues that don't seem to have any major
confusion.  Please confirm.
************************************************************************
************************************************************************


------------------------------------------------------------
filetype.vim not fixed

 - inconsistent regular expression usage in substitute()
   http://www.rdancer.org/vulnerablevim-filetype.vim.updated.html

 - earlier filetype.vim issue was in CVE-2008-2712.1

 - NEEDS NEW CVE


------------------------------------------------------------
heap overflow, demonstrated by netrw.v3

    - NEW CVE assigned: CVE-2008-3432

      - vim 6.2 and 6.3 (mch_expand_wildcards)

      - http://www.openwall.com/lists/oss-security/2008/07/15/4

------------------------------------------------------------
configure.in temp file issue

  - ALREADY assigned CVE: CVE-2008-3294 (see web site)

    - vim 5.0 through 7.1, maybe earlier, fixed in 7.2b.014

    - http://www.rdancer.org/vulnerablevim-configure.in.html


------------------------------------------------------------
netrw.v5 test case

  - NEEDS NEW CVE

  - http://www.rdancer.org/vulnerablevim-netrw.v5.html

  - affected version: Netrw version 127, Vim 7.2b

  - affected file: netrw.vim




************************************************************************
************************************************************************
This section is for remaining issues that need clarification.
************************************************************************
************************************************************************

------------------------------------------------------------
shellescape() implementation issue (tar):

  - Report TAR-1

    rdancer says "shellescape() does not escape all special items"
    specifically the "!" character

    - http://www.rdancer.org/vulnerablevim-shellescape.html

    - 7.2a.013 and other versions before 7.2b.005

    - mentions tar.vim (tarplugin)

    - test case: tarplugin.v2

  - Report TAR-2

     Tomas Hoger says affects 7.0 and 7.1:

     http://www.openwall.com/lists/oss-security/2008/07/15/2

  - Report TAR-3

     assignment of CVE-2008-3074 to "tarplugin"

	 http://www.openwall.com/lists/oss-security/2008/07/10/7

	 - already used by rPath in advisory

  - Report TAR-4

     rdancer tar.vim issue

	   http://www.rdancer.org/vulnerablevim.html

  - Report TAR-5

    rdancer says tar.vim test was omitted from Makefile

	http://www.openwall.com/lists/oss-security/2008/07/13/1

1) Are TAR-1, TAR-2, TAR-3, and TAR-4 all talking about the same
   issue?  If not - which ones are the same?

2) Since tar.vim doesn't affect 6.x, it should stay SPLIT from
   CVE-2008-2712.


------------------------------------------------------------
zip.vim

  - Report ZIP-1

    rdancer says "zip.vim" as well as "zipPlugin.vim"

    - http://www.rdancer.org/vulnerablevim.html

	- Vim 7.1.298 and 6.4

	- *part* of the advisory used CVE-2008-2712, but CVE-2008-2712
       didn't include it

  - Report ZIP-2

    Tomas Hoger suggests "still unfixed"

	   http://www.openwall.com/lists/oss-security/2008/07/10/7

    - CVE-2008-3075 assigned; used by rPath

	- since CVE-2008-2712 issues were fixed and zip.vim remains
      unfixed, a SPLIT from CVE-2008-2712 is reasonable

  - Report ZIP-3

    Tomas Hoger says "only 7.0 and 7.1" affected

	  http://www.openwall.com/lists/oss-security/2008/07/15/2

  - Report ZIP-4

    rdancer says zip "has not been fixed as of Vim 7.2a.19/zip.vim
    v19"

	  http://www.openwall.com/lists/oss-security/2008/07/13/1

  - Report ZIP-5

    CVE-2008-2712 bullet (2) mentions zipplugin based on same advisory
    as ZIP-1:

	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712


1) Are ZIP-1, ZIP-2, ZIP-3, and ZIP-4 all talking about the same
   issue?

2) What differences, if any, are there in zip.vim and zipplugin.vim?

3) Given the varying results for TAR-1 through TAR-4, should zip.vim
   be split from the tar issues?  What about zipplugin.vim?

4) It might be reasonable to remove item (2) from CVE-2008-2712.


------------------------------------------------------------
Looking at netrw.v2:

  - Report NETRW2-a

    rdancer says "mx" and "mz" in:
    http://www.rdancer.org/vulnerablevim-netrw.html

	NO version information provided in this advisory, but title
	indicates "Netrw version 125, Vim 7.2a.10"

  - Report NETRW2-b

    Tomas Hoger mentions "mz and mc" in:
    http://www.openwall.com/lists/oss-security/2008/07/15/4

	but: mc is probably referring to netrw.v3, so not relevant here

	mz "should only affect 7.2 alpha"

  - Report NETRW2-c

  - rdancer says "mf" (section 3.1) and "mz" (section 3.2) in:
    http://www.rdancer.org/vulnerablevim-netrw.v2.html

	but then, rdancer also gives an example for "mx" (3.2.1)

	versions: 7.2a.10, Netrw version 125.


1) What role, if any, does "mf" play (NETRW2-c)?  It's listed as a
   "prerequisite" then nothing else is said.  Does it have a
   vulnerability?  Or does the victim need to mark a file before
   decompressing it?

2) "mx" doesn't use quoting in section 3.2.1 (NETRW2-a), so does it
   have a vulnerability too?

3) Which combination of mx, mz, and mf is really being covered by
   the netrw.v2 test case?



------------------------------------------------------------
Looking at netrw.v3:

  - Report NETRW3-a

    rdancer says "mc" shellescape issues in:
    http://www.rdancer.org/vulnerablevim-netrw.html

	- missing use of shellescape for "args" variable in mc command

  - Report NETRW3-b

    Tomas Hoger mentions "mz and mc" in:
    http://www.openwall.com/lists/oss-security/2008/07/15/4

	but: mz is probably referring to netrw.v2, so not relevant here

	- mc "should only affect 7.2 alpha"

  - Report NETRW3-c

    Tomas Hoger says heap overflow (not mentioned in rdancer)
    http://www.openwall.com/lists/oss-security/2008/07/15/4

  - Report NETRW3-d

    rdancer says netrw.v3 is "vulnerable" in an advisory about
    netrw.v5:

	   http://www.rdancer.org/vulnerablevim-netrw.v5.html

    version: Vim 7.2b


1) NETRW3-c is clearly different, so CVE-2008-3432 is assigned.

2) Are NETRW3-a and NETRW3-b talking about the same issue?

3) What is the relationship between NETRW3-b and NETRW3-d?  The
   version numbers conflict.

4) Because of item 3, I'm tempted to split netrw.v3.

5) In NETRW3-a, rdancer says there are "many places" but only
   emphasizes the "args" part

   a) why does the patch only address one issue?

   b) the other quoted examples seem to use shellescape().  Are these
   vulnerable too?


------------------------------------------------------------
Looking at netrw.v4:

  - Report NETRW4-a

    shellescape issues in the "D" command for deleting files
    http://www.rdancer.org/vulnerablevim-netrw.html

	NO version information provided in this advisory, but title
	indicates "Netrw version 125, Vim 7.2a.10"

  - Report NETRW4-b

    Tomas Hoger says netrw.v4 affects 7.0 and 7.1
	http://www.openwall.com/lists/oss-security/2008/07/15/4

    - DOES NOT affect explorer.vim in 6.x

1) Why does NETRW4-a mention "function s:NetrwLocalRmFile()" twice?

2) Why does NETRW4-a point to lots of examples where "shellescape" is
   used?

3) Is appears that NETRW4-b remains unfixed according to NETRW4-a, is
   that right?

------------------------------------------------------------
Looking at netrw explorer.vim plugin:


  - Report EXP-1

    "netrw" test case triggers "similar problem" in explorer.vim:

	http://www.openwall.com/lists/oss-security/2008/07/15/2

	- in vim 6.x

  - Report EXP-2

    "netrw.v4" test case does not affect explorer.vim


1) Does this need a separate ID?  If not, which does it belong with?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.