Jump to content
Compatible Support Forums
Sign in to follow this  
news

[Security Announce] [ MDVSA-2008:236-1 ] vim

Recommended Posts

This is a multi-part message in MIME format...

 

------------=_1228790128-14940-5411

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

_______________________________________________________________________

 

Mandriva Linux Security Advisory MDVSA-2008:236-1

http://www.mandriva.com/security/

_______________________________________________________________________

 

Package : vim

Date : December 8, 2008

Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,

Multi Network Firewall 2.0

_______________________________________________________________________

 

Problem Description:

 

Several vulnerabilities were found in the vim editor:

 

A number of input sanitization flaws were found in various vim

system functions. If a user were to open a specially crafted file,

it would be possible to execute arbitrary code as the user running vim

(CVE-2008-2712).

 

Ulf Härnhammar of Secunia Research found a format string flaw in

vim's help tags processor. If a user were tricked into executing the

helptags command on malicious data, it could result in the execution

of arbitrary code as the user running vim (CVE-2008-2953).

 

A flaw was found in how tar.vim handled TAR archive browsing. If a

user were to open a special TAR archive using the plugin, it could

result in the execution of arbitrary code as the user running vim

(CVE-2008-3074).

 

A flaw was found in how zip.vim handled ZIP archive browsing. If a

user were to open a special ZIP archive using the plugin, it could

result in the execution of arbitrary code as the user running vim

(CVE-2008-3075).

 

A number of security flaws were found in netrw.vim, the vim plugin

that provides the ability to read and write files over the network.

If a user opened a specially crafted file or directory with the netrw

plugin, it could result in the execution of arbitrary code as the

user running vim (CVE-2008-3076).

 

A number of input validation flaws were found in vim's keyword and

tag handling. If vim looked up a document's maliciously crafted

tag or keyword, it was possible to execute arbitary code as the user

running vim (CVE-2008-4101).

 

A vulnerability was found in certain versions of netrw.vim where it

would send FTP credentials stored for an FTP session to subsequent

FTP sessions to servers on different hosts, exposing FTP credentials

to remote hosts (CVE-2008-4677).

 

This update provides vim 7.2 (patchlevel 65) which corrects all of

these issues and introduces a number of new features and bug fixes.

 

Update:

 

The previous vim update incorrectly introduced a requirement on

libruby and also conflicted with a file from the git-core package

(in contribs). These issues have been corrected with these updated

packages.

_______________________________________________________________________

 

References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2953

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3074

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3075

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3076

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4101

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4677

_______________________________________________________________________

 

Updated Packages:

 

Mandriva Linux 2008.0:

1ebd5f8b6c0743bab3db3113c2bb5498 2008.0/i586/vim-common-7.2.065-9.3mdv2008.0.i586.rpm

ecad30a24814aa1543f3e9f4548c0d8e 2008.0/i586/vim-enhanced-7.2.065-9.3mdv2008.0.i586.rpm

a62bc45e20c7cb05ea99471949fa057b 2008.0/i586/vim-minimal-7.2.065-9.3mdv2008.0.i586.rpm

e5431f23309139db47583d100ebec5fc 2008.0/i586/vim-X11-7.2.065-9.3mdv2008.0.i586.rpm

f2413164a86b6635ee5ff016c3527d64 2008.0/SRPMS/vim-7.2.065-9.3mdv2008.0.src.rpm

 

Mandriva Linux 2008.0/X86_64:

3fc6eb1eda476d642947ecaab7a225f2 2008.0/x86_64/vim-common-7.2.065-9.3mdv2008.0.x86_64.rpm

0edf2753ba8a00f8d866e559f7a2192b 2008.0/x86_64/vim-enhanced-7.2.065-9.3mdv2008.0.x86_64.rpm

692d5032e705bfda05b2b2618b8369d6 2008.0/x86_64/vim-minimal-7.2.065-9.3mdv2008.0.x86_64.rpm

87bf7a4fba22dc1773b544eeb412db06 2008.0/x86_64/vim-X11-7.2.065-9.3mdv2008.0.x86_64.rpm

f2413164a86b6635ee5ff016c3527d64 2008.0/SRPMS/vim-7.2.065-9.3mdv2008.0.src.rpm

 

Mandriva Linux 2008.1:

c934d47ecaa0ed9d9bff2b89fea74f20 2008.1/i586/vim-common-7.2.065-9.3mdv2008.1.i586.rpm

714185e359626acb9d22a88c54608a38 2008.1/i586/vim-enhanced-7.2.065-9.3mdv2008.1.i586.rpm

59d119574eb3dc453305bed6da73a12e 2008.1/i586/vim-minimal-7.2.065-9.3mdv2008.1.i586.rpm

4543e6fba5116a1d95fddfee3ce73613 2008.1/i586/vim-X11-7.2.065-9.3mdv2008.1.i586.rpm

d007fce1a939ef4e1841cf54c68dbdd0 2008.1/SRPMS/vim-7.2.065-9.3mdv2008.1.src.rpm

 

Mandriva Linux 2008.1/X86_64:

f8375b1d25260274ef2b081eec0396ea 2008.1/x86_64/vim-common-7.2.065-9.3mdv2008.1.x86_64.rpm

20577d11a3a22ff802a7e1c749099b76 2008.1/x86_64/vim-enhanced-7.2.065-9.3mdv2008.1.x86_64.rpm

1aa16e6fb134f57f4faefb319bdd6840 2008.1/x86_64/vim-minimal-7.2.065-9.3mdv2008.1.x86_64.rpm

99e25a76291297900ffce76e81e87e20 2008.1/x86_64/vim-X11-7.2.065-9.3mdv2008.1.x86_64.rpm

d007fce1a939ef4e1841cf54c68dbdd0 2008.1/SRPMS/vim-7.2.065-9.3mdv2008.1.src.rpm

 

Mandriva Linux 2009.0:

39b17b1ac441ba27254daeac8e593de6 2009.0/i586/vim-common-7.2.065-9.3mdv2009.0.i586.rpm

477cbeec330709630426f06c474e3c48 2009.0/i586/vim-enhanced-7.2.065-9.3mdv2009.0.i586.rpm

3ae2bf83194b6a323e78e09874a9cb3d 2009.0/i586/vim-minimal-7.2.065-9.3mdv2009.0.i586.rpm

02c54fb5e618484f6312ddf0b98cb08b 2009.0/i586/vim-X11-7.2.065-9.3mdv2009.0.i586.rpm

26bb261499484986d9f352208dac6aab 2009.0/SRPMS/vim-7.2.065-9.3mdv2009.0.src.rpm

 

Mandriva Linux 2009.0/X86_64:

6c00a2bcd26eed82708f625b0c2f4ecc 2009.0/x86_64/vim-common-7.2.065-9.3mdv2009.0.x86_64.rpm

2a9dcd8a41b17ba2849df2e1d0da077f 2009.0/x86_64/vim-enhanced-7.2.065-9.3mdv2009.0.x86_64.rpm

effaa23409fe3358318c291db55f6e6b 2009.0/x86_64/vim-minimal-7.2.065-9.3mdv2009.0.x86_64.rpm

7ca4a070928495e0e8081bbe0b845c51 2009.0/x86_64/vim-X11-7.2.065-9.3mdv2009.0.x86_64.rpm

26bb261499484986d9f352208dac6aab 2009.0/SRPMS/vim-7.2.065-9.3mdv2009.0.src.rpm

 

Corporate 3.0:

474ad132ad608caf03176e33b81359f8 corporate/3.0/i586/vim-common-7.2.065-9.3.C30mdk.i586.rpm

1349e3dcc99a0e100e185f344efabe3d corporate/3.0/i586/vim-enhanced-7.2.065-9.3.C30mdk.i586.rpm

5ee98b1525bd32dec3af623474c6ade4 corporate/3.0/i586/vim-minimal-7.2.065-9.3.C30mdk.i586.rpm

3327eedd3e14cb7b426cdf0ba07ef5ed corporate/3.0/i586/vim-X11-7.2.065-9.3.C30mdk.i586.rpm

9f059fa975e2d851e66f5e1eff88d3d0 corporate/3.0/SRPMS/vim-7.2.065-9.3.C30mdk.src.rpm

 

Corporate 3.0/X86_64:

65e2168ca42319b7ba79f7dfe0e2143f corporate/3.0/x86_64/vim-common-7.2.065-9.3.C30mdk.x86_64.rpm

85092d93a8a040c567ce59d0512d8847 corporate/3.0/x86_64/vim-enhanced-7.2.065-9.3.C30mdk.x86_64.rpm

dff08e81f6c2cede1de99ae96700178f corporate/3.0/x86_64/vim-minimal-7.2.065-9.3.C30mdk.x86_64.rpm

f299fe329b20cefb391976ffb9664b39 corporate/3.0/x86_64/vim-X11-7.2.065-9.3.C30mdk.x86_64.rpm

9f059fa975e2d851e66f5e1eff88d3d0 corporate/3.0/SRPMS/vim-7.2.065-9.3.C30mdk.src.rpm

 

Corporate 4.0:

37db43f0c3855a4c86d5237f4e5f292f corporate/4.0/i586/vim-common-7.2.065-8.3.20060mlcs4.i586.rpm

9ed45a0dd9eb354a508c893a2e177662 corporate/4.0/i586/vim-enhanced-7.2.065-8.3.20060mlcs4.i586.rpm

6117088ff587d3b96090dc5232a37a36 corporate/4.0/i586/vim-minimal-7.2.065-8.3.20060mlcs4.i586.rpm

61747391c926c371c679984941a5bfb9 corporate/4.0/i586/vim-X11-7.2.065-8.3.20060mlcs4.i586.rpm

cd60343d547090af2e9d0c3943d0aa81 corporate/4.0/SRPMS/vim-7.2.065-8.3.20060mlcs4.src.rpm

 

Corporate 4.0/X86_64:

2956ef9554f0c8ffb523f243ad547ad0 corporate/4.0/x86_64/vim-common-7.2.065-8.3.20060mlcs4.x86_64.rpm

5a8d2fbb71645fe83b977df339dd2069 corporate/4.0/x86_64/vim-enhanced-7.2.065-8.3.20060mlcs4.x86_64.rpm

250987bbd2f083c308ea3849d9bdd524 corporate/4.0/x86_64/vim-minimal-7.2.065-8.3.20060mlcs4.x86_64.rpm

3636d25dd546e0ea06cee2d9539aea81 corporate/4.0/x86_64/vim-X11-7.2.065-8.3.20060mlcs4.x86_64.rpm

cd60343d547090af2e9d0c3943d0aa81 corporate/4.0/SRPMS/vim-7.2.065-8.3.20060mlcs4.src.rpm

 

Multi Network Firewall 2.0:

520cc910d9ee606478a83ac015814d09 mnf/2.0/i586/vim-common-7.2.065-9.3.C30mdk.i586.rpm

c826084eb33961639c40377fc9b6a9b4 mnf/2.0/i586/vim-enhanced-7.2.065-9.3.C30mdk.i586.rpm

2f724da0fe5da0022b298262f1188aa5 mnf/2.0/i586/vim-minimal-7.2.065-9.3.C30mdk.i586.rpm

1b626e0380d726aa8072089bd94eadfd mnf/2.0/SRPMS/vim-7.2.065-9.3.C30mdk.src.rpm

_______________________________________________________________________

 

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

 

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

 

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 

You can view other update advisories for Mandriva Linux at:

 

http://www.mandriva.com/security/advisories

 

If you want to report vulnerabilities, please contact

 

security_(at)_mandriva.com

_______________________________________________________________________

 

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

 

iD8DBQFJPatcmqjQ0CJFipgRAp3vAJwMcdTivDsR5SM0N9sW/hnYXOb/YgCdFnRx

2uGyk940O65ZfGdUVa1xrEo=

=7tdF

-----END PGP SIGNATURE-----

 

 

------------=_1228790128-14940-5411

Content-Type: text/plain; name="message-footer.txt"

Content-Disposition: inline; filename="message-footer.txt"

Content-Transfer-Encoding: 8bit

 

To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://www.mandrivastore.com

Join the Club : http://www.mandrivaclub.com

_______________________________________________________

 

------------=_1228790128-14940-5411--

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×