Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 5 Aug 2008 16:42:29 +0200
From: Tomas Hoger <>
Cc:, Jan Minar <>,, Bram Moolenaar <>,
        "Charles E
 Campbell, Jr" <>
Subject: Re: Re: More arbitrary code executions in Netrw
 version 125, Vim 7.2a.10

Hi Steven!

I'll try to answer some of the questions where I can...

On Thu, 31 Jul 2008 20:44:12 -0400 (EDT) "Steven M. Christey"
<> wrote:

> heap overflow, demonstrated by netrw.v3
>     - NEW CVE assigned: CVE-2008-3432
>       - vim 6.2 and 6.3 (mch_expand_wildcards)
>       -

I guess you can safely use 6.2.429 - 6.3.059 here, as it was identified
which change introduced and which resolved the problem.

> tar.vim
>   - Report TAR-3
>      assignment of CVE-2008-3074 to "tarplugin"
> 	 - already used by rPath in advisory

Was it?  There are very few public references of this id found by
google.  rPath link goes to their issue tracker:

> zip.vim
>   - Report ZIP-1
>     rdancer says "zip.vim" as well as "zipPlugin.vim"

" zip.vim: Handles browsing zipfiles

" zipPlugin.vim: Handles browsing zipfiles
"            PLUGIN PORTION

zipPlugin.vim only seems to be an interface to functionality
implemented in zip.vim.  Actual issues should be in zip.vim, but terms
are likely used as synonyms in the advisory.

> 	- Vim 7.1.298 and 6.4

vim-6.4.tar.bz2 does not contain zip.vim, and it is not added by
subsequent 6.4 patches , I guess
this should be 7.0+, just like tar.vim issues.

>   - Report ZIP-2
>     Tomas Hoger suggests "still unfixed"

That comment was based on Jan's advisory vulnerablevim-netrw.html with
was updated to cover current state the upstream fixes, and was still
listing tar and zip as vulnerable.

>     - CVE-2008-3075 assigned; used by rPath
> 	- since CVE-2008-2712 issues were fixed and zip.vim remains
>       unfixed, a SPLIT from CVE-2008-2712 is reasonable

Similar to CVE-2008-3074 above.

>   - Report ZIP-3
>     Tomas Hoger says "only 7.0 and 7.1" affected

In context of GA versions, without additional patches.  I'm not sure
what is the current status wrt 7.1 official patches.  7.0 should be
first affected, all 7.0.x should be affected.

> 3) Given the varying results for TAR-1 through TAR-4, should zip.vim
>    be split from the tar issues?  What about zipplugin.vim?

Given , they
are currently split.

> 4) It might be reasonable to remove item (2) from CVE-2008-2712.

Probably yes, based on first affected versions.

> Looking at netrw.v2:
>   - Report NETRW2-a
>     rdancer says "mx" and "mz" in:
> 	NO version information provided in this advisory, but title
> 	indicates "Netrw version 125, Vim 7.2a.10"
>   - Report NETRW2-b
>     Tomas Hoger mentions "mz and mc" in:
> 	but: mc is probably referring to netrw.v3, so not relevant
> here
> 	mz "should only affect 7.2 alpha"

Actually, advisory is:

1. Compression and Decompression (The ``mz'' Command)
  (which mentions mx and mz, context of mx is bit unclear)

netrw.v2 demonstrates mz flaw.

2. Copying Files (The ``mc'' Command)

demonstrated by netrw.v3

All 3 commands - mx, mz and mc are only recognized by netrw version as
bundled with 7.2 alpha.  These issues did not affect 7.1.x and previous.

> 1) What role, if any, does "mf" play (NETRW2-c)?  It's listed as a
>    "prerequisite" then nothing else is said.  Does it have a
>    vulnerability?  Or does the victim need to mark a file before
>    decompressing it?

mf is used in netrw.v[23] to mark files, before compress / copy is run
on them.

> 3) Which combination of mx, mz, and mf is really being covered by
>    the netrw.v2 test case?

mf mz is command sequence executed.

> Looking at netrw.v3:
> 1) NETRW3-c is clearly different, so CVE-2008-3432 is assigned.

It was not the purpose of netrw.v3 to demonstrate this, it just
accidentally uncovered this issue.  Taking into account which versions
are affect by this, I guess it's quite unlikely this affects anyone but
us at this point in time.

> 2) Are NETRW3-a and NETRW3-b talking about the same issue?

Probably not.  -a talks about mx and mz, but demonstrates mz.  -b is
about -mc.  Shour be different issues.

> Looking at netrw explorer.vim plugin:
>   - Report EXP-1
>     "netrw" test case triggers "similar problem" in explorer.vim:
> 	- in vim 6.x
>   - Report EXP-2
>     "netrw.v4" test case does not affect explorer.vim
> 1) Does this need a separate ID?  If not, which does it belong with?

Given that it affects different plugins, separate id seems to make
sense wrt to the rules how CVE ids are usually assigned.

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.