[Secure-testing-team] Bug#506919: vim: multiple vulnerabilities (CVE-2008-3074, CVE-2008-3075, and CVE-2008-3076)
Michael S. Gilbert
michael.s.gilbert at gmail.com
Tue Nov 25 22:31:36 UTC 2008
Package: vim
Version: 1:7.0.109
Severity: grave
Tags: security
Justification: user security hole
redhat has just released an update that fixes multiple security flaws in
vim [1]. these issues are currently reserved in the CVE tracker, but
redhat describes the probems as:
Multiple security flaws were found in netrw.vim, the Vim plug-in providing
file reading and writing over the network. If a user opened a specially
crafted file or directory with the netrw plug-in, it could result in
arbitrary code execution as the user running Vim. (CVE-2008-3076)
A security flaw was found in zip.vim, the Vim plug-in that handles ZIP
archive browsing. If a user opened a ZIP archive using the zip.vim plug-in,
it could result in arbitrary code execution as the user running Vim.
(CVE-2008-3075)
A security flaw was found in tar.vim, the Vim plug-in which handles TAR
archive browsing. If a user opened a TAR archive using the tar.vim plug-in,
it could result in arbitrary code execution as the user runnin Vim.
(CVE-2008-3074)
versions affected are unclear from the redhat notice, but the problem at
least applies to vim version 7.0.109, which they have fixed in rhel5.
thanks for working to keep debian secure.
[1] https://rhn.redhat.com/errata/RHSA-2008-0580.html
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages vim depends on:
ii libacl1 2.2.47-2 Access control list shared library
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libgpm2 1.20.4-3 General Purpose Mouse - shared lib
ii libncurses5 5.6+20080830-1 shared libraries for terminal hand
ii libselinux1 2.0.65-5 SELinux shared libraries
ii vim-common 1:7.1.314-3+lenny2 Vi IMproved - Common files
ii vim-runtime 1:7.1.314-3+lenny2 Vi IMproved - Runtime files
vim recommends no packages.
Versions of packages vim suggests:
pn ctags <none> (no description available)
pn vim-doc <none> (no description available)
pn vim-scripts <none> (no description available)
-- no debconf information
More information about the Secure-testing-team
mailing list