Login
Newsletter
Werbung

Sicherheit: Automatisches Ausführen von Kommandos in vim
Aktuelle Meldungen Distributionen
Name: Automatisches Ausführen von Kommandos in vim
ID: CSSA-2001-014.0
Distribution: Caldera
Plattformen: Caldera eDesktop 2.4, Caldera eBuilder, Caldera eServer 2.3.1, Caldera 2.3
Datum: Do, 12. April 2001, 13:00
Referenzen: Keine Angabe
Applikationen: vim

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
Caldera Systems, Inc. Security Advisory

Subject: vim - embedded modline exploits
Advisory number: CSSA-2001-014.0
Issue date: 2001 April, 11
Cross reference:
______________________________________________________________________________


1. Problem Description

There exists a possibility for an attacker to embed special
modelines into a text file which when opened with vim could
compromise the account of the user.

Also editing files in world writeable directories like /tmp
could lead to a local attacker gaining access to the editing
users account due to possible symlink attacks on editor backup
and swap files.


2. Vulnerable Versions

System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
vim-5.7-12

OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder vim-5.7-12

OpenLinux eDesktop 2.4 All packages previous to
vim-5.7-12

3. Solution

Workaround

none

The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

4.2 Verification

6f57e2a30063af5973c98734bd56099e RPMS/vim-5.7-12.i386.rpm
e53bbd8b9cd8020015d08edcbe8c872a RPMS/vim-X11-5.7-12.i386.rpm
1914bb9b40d72a0bfdd1997890b7c05a RPMS/vim-help-5.7-12.i386.rpm
9edf7f1fc3f60ac1b4102083b6f6c2a2 SRPMS/vim-5.7-12.src.rpm

4.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fhv vim-*.i386.rpm

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

5.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

5.2 Verification

c3f3502b0347c9e823daa1108ec832f3 RPMS/vim-5.7-12.i386.rpm
2efd3e378dc7fe0a2d0095cc2e14cb9e RPMS/vim-X11-5.7-12.i386.rpm
e318e2517708a060130bacd3477cf424 RPMS/vim-help-5.7-12.i386.rpm
9edf7f1fc3f60ac1b4102083b6f6c2a2 SRPMS/vim-5.7-12.src.rpm

5.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh vim-*i386.rpm

6. OpenLinux eDesktop 2.4

6.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

The corresponding source code package can be found at:

ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

6.2 Verification

74813272a373c5f28d2a29380e173e40 RPMS/vim-5.7-12.i386.rpm
26b8f47c0786c7c6b6fd95bab5499689 RPMS/vim-X11-5.7-12.i386.rpm
eb52a3275bb642eccb36b443c8fb82c2 RPMS/vim-help-5.7-12.i386.rpm
9edf7f1fc3f60ac1b4102083b6f6c2a2 SRPMS/vim-5.7-12.src.rpm

6.3 Installing Fixed Packages

Upgrade the affected packages with the following commands:

rpm -Fvh vim-*i386.rpm

7. References

This and other Caldera security resources are located at:

http://www.calderasystems.com/support/security/index.html

This security fix closes Caldera's internal Problem Reports 9682, 9609.

8. Disclaimer

Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.

9. Acknowledgements:

Caldera International wishes to thank the VIM team for being very
responsive and providing a timely fix to the problem.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE61C4Z18sy83A/qfwRAomDAJ93pA+pKEesgGbls+0tTQ43XpfXwwCfV3kl
tDH63+CmEdhYmcGeinsQqbg=
=N5xH
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung