vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vim (Debian) |
Fix Released
|
Unknown
|
|||
vim (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #289560 http://
In Debian Bug tracker #289560, Javier Fernández-Sanguino (jfs) wrote : | #1 |
In Debian Bug tracker #289560, Bram Moolenaar (bram-moolenaar) wrote : | #2 |
Javier -
> > Did you contact the original authors, Darren Hiebert and Neil
> > Schemenauer?
>
> No, I didn't. I was not sure if they were still active. Do you want me to
> forward this?
Yes. They are the authors, thus I hesitate to change their work without
at least trying to contact them.
> > I wonder if there isn't a shorter method. The handling of the temp file
> > becomes more than half the script this way.
>
> Actually, there is, you could remove the lines that try to use a temporary
> file in a temporary directory (below the comments) and just abort with a
> "Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are
> 'none'.
So there would be a few (old?) systems where the script won't work?
--
GALAHAD: No. Look, I can tackle this lot single-handed!
GIRLS: Yes, yes, let him Tackle us single-handed!
/// Bram Moolenaar -- <email address hidden> -- http://
/// Sponsor Vim, vote for features -- http://
\\\ Project leader for A-A-P -- http://
\\\ Buy LOTR 3 and help AIDS victims -- http://
In Debian Bug tracker #289560, Javier Fernández-Sanguino (jfs) wrote : | #3 |
On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> >
> > No, I didn't. I was not sure if they were still active. Do you want me to
> > forward this?
>
> Yes. They are the authors, thus I hesitate to change their work without
> at least trying to contact them.
Ok. Will do.
>
> > > I wonder if there isn't a shorter method. The handling of the temp file
> > > becomes more than half the script this way.
> >
> > Actually, there is, you could remove the lines that try to use a temporary
> > file in a temporary directory (below the comments) and just abort with a
> > "Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are
> > 'none'.
>
> So there would be a few (old?) systems where the script won't work?
Correct. Those that don't have mktemp or tempfile. These should be
available in most Linux distributions but I'm not sure about their
availability in other UNIX systems (I believe mktemp is available in
Solaris, in HP-UX and in Tru64 but not in AIX, for example)
Regards
Javier
In Debian Bug tracker #289560, Javier Fernández-Sanguino (jfs) wrote : | #4 |
On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
>
> Javier -
>
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> >
> > No, I didn't. I was not sure if they were still active. Do you want me to
> > forward this?
>
> Yes. They are the authors, thus I hesitate to change their work without
> at least trying to contact them.
At least one of the mail addresses (<email address hidden>) bounces.
Regards
Javier
In Debian Bug tracker #289560, Javier Fernández-Sanguino (jfs) wrote : | #5 |
On Mon, Jan 10, 2005 at 11:01:57AM +0100, Javier Fernández-Sanguino Peña wrote:
> At least one of the mail addresses (<email address hidden>) bounces.
The other author address (<email address hidden>) bounces too.
Regards
Javier
In Debian Bug tracker #289560, Mark J Cox (mjc-redhat) wrote : [coley@mitre.org: Re: CVE request] (fwd | #6 |
This is CAN-2005-0069.
In Debian Bug tracker #289560, Martin Schulze (joey-infodrom) wrote : cve id | #7 |
Please use CAN-2005-0069.
Regards,
Joey
--
The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #289560, Norbert Tretkowski (tretkowski) wrote : tags | #8 |
tags 289560 +pending
thanks
Norbert
In Debian Bug tracker #289560, Norbert Tretkowski (tretkowski) wrote : Re: Bug#291125: vim: temporary file vulnerabilities (CAN-2005-0069) | #9 |
severity 289560 grave
merge 289560 291125
thanks
* Joey Hess wrote:
> As described in the Ubuntu advisory below, vim's tcltags and vimspell
> scripts use temp files insecurely.
Updated package is already building currently.
Norbert
Debian Bug Importer (debzilla) wrote : | #10 |
Automatically imported from Debian bug report #289560 http://
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Sun, 9 Jan 2005 21:05:26 +0100
From: Javier =?iso-8859-
To: <email address hidden>
Cc: Bram Moolenaar <email address hidden>
Subject: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
--2B/JsCI69OhZNC5r
Content-Type: multipart/mixed; boundary=
Content-
--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: vim
Version: 1:6.3-046+1
Severity: minor
Tags: patch security sid woody sarge
Hi there,
Reviewing vim as part of the security audit the Audit team [1] is=20
conducting I've found what I believe are some race conditions and symlink=
=20
attacks through temporary files in vim. They appear in two scripts which=20
are not installed in Debian in binary locations (they are installed under
/usr/share/
That's mainly why I'm opening this bug up in Debian's BTS and not=20
contacting the security team directly although the code is present in all=
=20
vim releases in Debian.
These appear in:
1.- the tcltags script (runtime/
(...)
11 tmp_tagfile=
(...)
130 sed -e "/^!_TAG_
=20
\
131 -e "/^!_TAG_
=20
\
132 $tagfile > $tmp_tagfile
2.- the vimspell script (runtime/
16 OUTFILE=
17 # if you have "tempfile", use the following line
18 #OUTFILE=
(...)
30 spell $SPELL_ARGS $INFILE | sort -u |
31 awk '
32 {
33 printf "syntax match SpellErrors \"\\<%s\\>\"\n", $0 ;
34 }
35
36 END {
37 printf "highlight link SpellErrors ErrorMsg\n\n" ;
38 }
39 ' > $OUTFILE
40 echo "!rm $OUTFILE" >> $OUTFILE
41 echo $OUTFILE
Since these are tools that are run from vim, an attacker can get a=20
good-enough approximation of the PIDs that will be used in these temporary=
=20
files and can conduct a symlink attack if these tools are used.
The attached patch should fix both of these issues, I've taken the=20
approach implemented in vimtutor, but modified it slightly for vimspell as=
=20
the temporary file cannot be removed by the script (vim removes it) when=20
mktemp and tempfile are not avilable, there will still be a race condition=
=20
in the script. Since most GNU/Linux and UNIX operating systems seem to=20
have either one I don't think it's a big issue, however.
Best regards
Javier
--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -Nru vim-6.3.
ls/tcltags
--- vim-6.3.
0200
+++ vim-6.3/
@@ -8,7 +8,31 @@
program_
pr...
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Sun, 9 Jan 2005 22:24:11 +0100
From: Javier =?iso-8859-
To: Bram Moolenaar <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Sun, Jan 09, 2005 at 10:02:35PM +0100, Bram Moolenaar wrote:
>=20
> Javier -
>=20
> > Reviewing vim as part of the security audit the Audit team [1] is=20
> > conducting I've found what I believe are some race conditions and symli=
nk=20
> > attacks through temporary files in vim. They appear in two scripts whic=
h=20
> > are not installed in Debian in binary locations (they are installed und=
er
> > /usr/share/
>=20
> Thanks for looking into this and providing patches.
>=20
> Did you contact the original authors, Darren Hiebert and Neil
> Schemenauer?
No, I didn't. I was not sure if they were still active. Do you want me to=
=20
forward this?
> I wonder if there isn't a shorter method. The handling of the temp file
> becomes more than half the script this way.
Actually, there is, you could remove the lines that try to use a temporary
file in a temporary directory (below the comments) and just abort with a=20
"Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are=20
'none'.
Regards
Javier
--h31gzZEtNLTqOjlF
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB4aD7i4s
GN96nagKmHLn6ZO
=Clm9
-----END PGP SIGNATURE-----
--h31gzZEtNLTqO
Debian Bug Importer (debzilla) wrote : | #13 |
Message-Id: <email address hidden>
Date: Mon, 10 Jan 2005 10:33:00 +0100
From: Bram Moolenaar <email address hidden>
To: Javier =?iso-8859-
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
Javier -
> > Did you contact the original authors, Darren Hiebert and Neil
> > Schemenauer?
>
> No, I didn't. I was not sure if they were still active. Do you want me to
> forward this?
Yes. They are the authors, thus I hesitate to change their work without
at least trying to contact them.
> > I wonder if there isn't a shorter method. The handling of the temp file
> > becomes more than half the script this way.
>
> Actually, there is, you could remove the lines that try to use a temporary
> file in a temporary directory (below the comments) and just abort with a
> "Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are
> 'none'.
So there would be a few (old?) systems where the script won't work?
--
GALAHAD: No. Look, I can tackle this lot single-handed!
GIRLS: Yes, yes, let him Tackle us single-handed!
/// Bram Moolenaar -- <email address hidden> -- http://
/// Sponsor Vim, vote for features -- http://
\\\ Project leader for A-A-P -- http://
\\\ Buy LOTR 3 and help AIDS victims -- http://
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Mon, 10 Jan 2005 10:56:21 +0100
From: Javier =?iso-8859-
To: Bram Moolenaar <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> >=20
> > No, I didn't. I was not sure if they were still active. Do you want me =
to=20
> > forward this?
>=20
> Yes. They are the authors, thus I hesitate to change their work without
> at least trying to contact them.
Ok. Will do.
>=20
> > > I wonder if there isn't a shorter method. The handling of the temp f=
ile
> > > becomes more than half the script this way.
> >=20
> > Actually, there is, you could remove the lines that try to use a tempor=
ary
> > file in a temporary directory (below the comments) and just abort with =
a=20
> > "Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are=
=20
> > 'none'.
>=20
> So there would be a few (old?) systems where the script won't work?
Correct. Those that don't have mktemp or tempfile. These should be=20
available in most Linux distributions but I'm not sure about their=20
availability in other UNIX systems (I believe mktemp is available in=20
Solaris, in HP-UX and in Tru64 but not in AIX, for example)
Regards
Javier
--jRHKVT23PllUwdXP
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB4lFEi4s
yzQ9eYybzBKTj2D
=Te3y
-----END PGP SIGNATURE-----
--jRHKVT23PllUw
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Mon, 10 Jan 2005 11:01:57 +0100
From: Javier =?iso-8859-
To: Bram Moolenaar <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Mon, Jan 10, 2005 at 10:33:00AM +0100, Bram Moolenaar wrote:
>=20
> Javier -
>=20
> > > Did you contact the original authors, Darren Hiebert and Neil
> > > Schemenauer?
> >=20
> > No, I didn't. I was not sure if they were still active. Do you want me =
to=20
> > forward this?
>=20
> Yes. They are the authors, thus I hesitate to change their work without
> at least trying to contact them.
At least one of the mail addresses (<email address hidden>) bounces.
Regards
Javier
--C7zPtVaVf+AK4Oqc
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB4lKVi4s
Cz0yawlLrADOXtm
=ar6A
-----END PGP SIGNATURE-----
--C7zPtVaVf+
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Mon, 10 Jan 2005 11:43:10 +0100
From: Javier =?iso-8859-
To: Bram Moolenaar <email address hidden>
Cc: <email address hidden>
Subject: Re: vim: Race conditions and symlink attacks in vim (tcltags and vimspell)
--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
On Mon, Jan 10, 2005 at 11:01:57AM +0100, Javier Fern=E1ndez-
a wrote:
> At least one of the mail addresses (<email address hidden>) bounces.
The other author address (<email address hidden>) bounces too.
Regards
Javier
--G4iJoqBmSsgzjUCe
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB4lw9i4s
lYDYqqTjW3k/
=8RO4
-----END PGP SIGNATURE-----
--G4iJoqBmSsgzj
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Fri, 14 Jan 2005 12:30:15 +0000 (GMT)
From: Mark J Cox <email address hidden>
To: <email address hidden>
Subject: [<email address hidden>: Re: CVE request] (fwd
This is CAN-2005-0069.
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Fri, 14 Jan 2005 14:16:06 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: cve id
Please use CAN-2005-0069.
Regards,
Joey
--
The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin
Please always Cc to me when replying to me on the lists.
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Sat, 15 Jan 2005 20:42:35 +0100
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: tags
tags 289560 +pending
thanks
Norbert
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 23:45:40 +0100
From: Norbert Tretkowski <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#291125: vim: temporary file vulnerabilities (CAN-2005-0069)
severity 289560 grave
merge 289560 291125
thanks
* Joey Hess wrote:
> As described in the Ubuntu advisory below, vim's tcltags and vimspell
> scripts use temp files insecurely.
Updated package is already building currently.
Norbert
Debian Bug Importer (debzilla) wrote : | #21 |
*** Bug 12027 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #289560, Norbert Tretkowski (tretkowski) wrote : Bug#289560: fixed in vim 1:6.3-058+1 | #22 |
Source: vim
Source-Version: 1:6.3-058+1
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
kvim-perl_
to pool/main/
kvim-python_
to pool/main/
kvim-ruby_
to pool/main/
kvim-tcl_
to pool/main/
kvim_6.
to pool/main/
vim-common_
to pool/main/
vim-doc_
to pool/main/
vim-gnome_
to pool/main/
vim-gtk_
to pool/main/
vim-lesstif_
to pool/main/
vim-perl_
to pool/main/
vim-python_
to pool/main/
vim-ruby_
to pool/main/
vim-tcl_
to pool/main/
vim_6.3-
to pool/main/
vim_6.3-058+1.dsc
to pool/main/
vim_6.3-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Jan 2005 20:12:25 +0100
Source: vim
Binary: vim-lesstif vim-common vim-doc vim-gnome kvim-ruby vim vim-gtk kvim-perl vim-perl kvim-tcl vim-tiny vim-ruby vim-python vim-tcl kvim-python kvim
Architecture: source alpha all
Version: 1:6.3-058+1
Distribution: unstable
Urgency: high
Maintainer: Norbert Tretkowski <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
kvim - Vi IMproved - KDE 3.x version
kvim-perl - Vi IMproved - KDE 3.x version with Perl scripting support
kvim-python - Vi IMproved - KDE 3.x version with Python scripting support
kvim-ruby - Vi IMproved - KDE 3.x version with Ruby scripting support
kvim-tcl - Vi IMproved - KDE 3.x version with TCL scripting support
vim - Vi IMproved - enhanced vi editor
vim-common - Vi IMproved - Common files
vim-doc - Vi IMproved - Documentation files
vim-gnome - Vi IMproved - GNOME2 Version
vim-gtk - Vi IMproved - GTK2 Version
vim-lesstif - Vi IMproved - LessTif Version
vim-perl - Vi IMproved, with perl scripting support
vim-python - Vi IMpr...
Debian Bug Importer (debzilla) wrote : | #23 |
Message-Id: <email address hidden>
Date: Wed, 19 Jan 2005 02:17:20 -0500
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: Bug#289560: fixed in vim 1:6.3-058+1
Source: vim
Source-Version: 1:6.3-058+1
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
kvim-perl_
to pool/main/
kvim-python_
to pool/main/
kvim-ruby_
to pool/main/
kvim-tcl_
to pool/main/
kvim_6.
to pool/main/
vim-common_
to pool/main/
vim-doc_
to pool/main/
vim-gnome_
to pool/main/
vim-gtk_
to pool/main/
vim-lesstif_
to pool/main/
vim-perl_
to pool/main/
vim-python_
to pool/main/
vim-ruby_
to pool/main/
vim-tcl_
to pool/main/
vim_6.3-
to pool/main/
vim_6.3-058+1.dsc
to pool/main/
vim_6.3-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Jan 2005 20:12:25 +0100
Source: vim
Binary: vim-lesstif vim-common vim-doc vim-gnome kvim-ruby vim vim-gtk kvim-perl vim-perl kvim-tcl vim-tiny vim-ruby vim-python vim-tcl kvim-python kvim
Architecture: source alpha all
Version: 1:6.3-058+1
Distribution: unstable
Urgency: high
Maintainer: Norbert Tretkowski <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
kvim - Vi IMproved - KDE 3.x version
kvim-perl - Vi IMproved - KDE 3.x version with Perl scripting support
kvim-python - Vi IMproved - KDE 3.x version with Python scripting support
kvim-ruby - Vi IMproved - KDE 3.x version with Ruby scripting support
kvim-tcl - Vi IMproved - KDE 3.x version with TCL scripting support
vim - Vi IMproved - enhanced vi editor
vim-common - Vi IMproved - Common files
vim-doc - Vi IMproved - Documentatio...
In Debian Bug tracker #289560, Javier Fernández-Sanguino (jfs) wrote : Re: Bug#289560 acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1) | #24 |
> * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> tcltags.sh so they use mktemp instead of insecure $$ construction to
> create temporary files (CAN-2005-0069) (closes: #289560)
A few comments and questions regarding this entry:
- the scripts seem to be ancient and no longer supported by either their
authors nor vim maintainer and have been removed upstream.
- I understand that Ubuntu's patch might be simpler, but I actually wrote
the patch based on what's done in vim's tcltutor script. There were some
reasons I wrote it which have been disregarded (mostly compatibility
reasons for things that don't have mktemp/tempfile)
(I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)
- no credit is given to me, which I would have appreciated
- Ubuntu's patch for tcltags will remove the temporary file *twice* (once
on exit, once after the trap is called) as the last line of the script has
not been removed (rm $tmp_tagfile) as I did in my patch.
Regards
Javier
Debian Bug Importer (debzilla) wrote : | #25 |
Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 09:08:38 +0100
From: Javier =?iso-8859-
To: <email address hidden>
Cc: Javier =?iso-8859-
Subject: Re: Bug#289560 acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-
Content-
> * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> tcltags.sh so they use mktemp instead of insecure $$ construction to
> create temporary files (CAN-2005-0069) (closes: #289560)
A few comments and questions regarding this entry:
- the scripts seem to be ancient and no longer supported by either their=20
authors nor vim maintainer and have been removed upstream.
- I understand that Ubuntu's patch might be simpler, but I actually wrote=
=20
the patch based on what's done in vim's tcltutor script. There were some=20
reasons I wrote it which have been disregarded (mostly compatibility=20
reasons for things that don't have mktemp/tempfile)
(I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)
- no credit is given to me, which I would have appreciated
- Ubuntu's patch for tcltags will remove the temporary file *twice* (once
on exit, once after the trap is called) as the last line of the script has
not been removed (rm $tmp_tagfile) as I did in my patch.
Regards
Javier
--fdj2RfSjLxBAspz7
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7hWGi4s
BJ2Ur/vRHN1jeh4
=fC6E
-----END PGP SIGNATURE-----
--fdj2RfSjLxBAs
In Debian Bug tracker #289560, Martin Pitt (pitti) wrote : Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1) | #26 |
Hi Javier!
Javier Fernández-Sanguino Peña [2005-01-19 9:08 +0100]:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> > tcltags.sh so they use mktemp instead of insecure $$ construction to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>
> A few comments and questions regarding this entry:
>
> - the scripts seem to be ancient and no longer supported by either their
> authors nor vim maintainer and have been removed upstream.
Maybe, but still we ship them in our stable release, so we must fix
it.
> - I understand that Ubuntu's patch might be simpler, but I actually wrote
> the patch based on what's done in vim's tcltutor script. There were some
> reasons I wrote it which have been disregarded (mostly compatibility
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #291125)
I read your patch, but I deliberately wrote my own very simple
version, because:
- I wanted to avoid the tempfile race in any case, so if mktemp is not
available, the script should rather fail than be vulnerable. mktemp
is shipped in a required package, so we can assume it is there.
- A security update must be as simple and unintrusive as possible. I
do not care about the widest possible upstream portability in
security updates, the solution only needs to work on the platforms
we support.
> - no credit is given to me, which I would have appreciated
I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).
[1] http://
> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.
Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.
Have a nice day!
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
Debian Bug Importer (debzilla) wrote : | #27 |
Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 10:24:20 +0100
From: Martin Pitt <email address hidden>
To: Javier =?iso-8859-
<email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
--+g7M9IMkV8truYOl
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Hi Javier!
Javier Fern=E1ndez-
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh =
and
> > tcltags.sh so they use mktemp instead of insecure $$ construction =
to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>=20
> A few comments and questions regarding this entry:
>=20
> - the scripts seem to be ancient and no longer supported by either their=
=20
> authors nor vim maintainer and have been removed upstream.
Maybe, but still we ship them in our stable release, so we must fix
it.
> - I understand that Ubuntu's patch might be simpler, but I actually wrote=
=20
> the patch based on what's done in vim's tcltutor script. There were some=
=20
> reasons I wrote it which have been disregarded (mostly compatibility=20
> reasons for things that don't have mktemp/tempfile)
> (I can't find it in Ubuntu's bugzilla 5633 but found it in our BTS #29112=
5)
I read your patch, but I deliberately wrote my own very simple
version, because:
- I wanted to avoid the tempfile race in any case, so if mktemp is not
available, the script should rather fail than be vulnerable. mktemp
is shipped in a required package, so we can assume it is there.
- A security update must be as simple and unintrusive as possible. I
do not care about the widest possible upstream portability in
security updates, the solution only needs to work on the platforms
we support.
> - no credit is given to me, which I would have appreciated
I credited you in the announcement [1] since you found the bug.
However, since I did not take your patch, but wrote my own, I did not
credit you for the patch (so if it's broken, it is seen as my fault
and not yours :-) ).
[1] http://
> - Ubuntu's patch for tcltags will remove the temporary file *twice* (once
> on exit, once after the trap is called) as the last line of the script has
> not been removed (rm $tmp_tagfile) as I did in my patch.
Right, thanks for that hint. It would be nice to fix that in Sid and
our development release.
Have a nice day!
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--+g7M9IMkV8truYOl
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7idEDec
LX6jAxEVuHe9lnu
=Bzyo
-----END PGP SIGNATURE-----
--+g7M9IMkV8tru
Martin Pitt (pitti) wrote : | #28 |
Fixed in Warty in USN-61-1, fixed in Hoary in 1:6.3-046+1ubuntu2.
In Debian Bug tracker #289560, Javier Fernández-Sanguino (jfs) wrote : | #29 |
On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:
Martin, just to get things straight, my comments are not directed
towards you, but towards the vim maintainer.
>
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
> available, the script should rather fail than be vulnerable. mktemp
> is shipped in a required package, so we can assume it is there.
It would be best if instead of
tmp_tagfile=`mktemp -t tcltagXXXXXX` || exit 1
you had used
tmp_tagfile=`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the
temporary file" >&2; exit 1 ;}
IMHO
> - A security update must be as simple and unintrusive as possible. I
> do not care about the widest possible upstream portability in
> security updates, the solution only needs to work on the platforms
> we support.
Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc). I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)
> > - no credit is given to me, which I would have appreciated
>
> I credited you in the announcement [1] since you found the bug.
I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the
Debian maintainer, which takes no action until an Ubuntu advisory is
released.
In any case, no use in arguing this when there is so many things to work on
(and so many similar security bugs to report)
Regards
Javier
In Debian Bug tracker #289560, Martin Pitt (pitti) wrote : | #30 |
Hi Javier!
Javier Fernández-Sanguino Peña [2005-01-19 11:40 +0100]:
> It would be best if instead of
>
> tmp_tagfile=`mktemp -t tcltagXXXXXX` || exit 1
>
> you had used
>
> tmp_tagfile=`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the
> temporary file" >&2; exit 1 ;}
>
> IMHO
There is no need for this. mktemp generates an error message on its
own, so this would only write two messages.
> In any case, no use in arguing this when there is so many things to work on
> (and so many similar security bugs to report)
Right, I just wanted to point out above mktemp behavior, since this
seems to be a common misconception.
Thanks for your great work and have a nice day!
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
Debian Bug Importer (debzilla) wrote : | #31 |
Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 11:40:47 +0100
From: Javier =?iso-8859-
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:
Martin, just to get things straight, my comments are not directed=20
towards you, but towards the vim maintainer.
>=20
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
> available, the script should rather fail than be vulnerable. mktemp
> is shipped in a required package, so we can assume it is there.
It would be best if instead of=20
tmp_tagfile=
you had used
tmp_tagfile=
temporary file" >&2; exit 1 ;}
IMHO
> - A security update must be as simple and unintrusive as possible. I
> do not care about the widest possible upstream portability in
> security updates, the solution only needs to work on the platforms
> we support.
Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc). I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)
> > - no credit is given to me, which I would have appreciated
>=20
> I credited you in the announcement [1] since you found the bug.
I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the=
=20
Debian maintainer, which takes no action until an Ubuntu advisory is=20
released.
In any case, no use in arguing this when there is so many things to work on=
=20
(and so many similar security bugs to report)
Regards
Javier
--fUYQa+Pmc3FrFX/N
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7jkui4s
Am8LJyeU5/
=PGKH
-----END PGP SIGNATURE-----
--fUYQa+
Debian Bug Importer (debzilla) wrote : | #32 |
Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 12:04:06 +0100
From: Martin Pitt <email address hidden>
To: Javier =?iso-8859-
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
--H1spWtNR+x+ondvy
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Hi Javier!
Javier Fern=E1ndez-
> It would be best if instead of=20
>=20
> tmp_tagfile=
>=20
> you had used
>=20
> tmp_tagfile=
=20
> temporary file" >&2; exit 1 ;}
>=20
> IMHO
There is no need for this. mktemp generates an error message on its
own, so this would only write two messages.
> In any case, no use in arguing this when there is so many things to work =
on=20
> (and so many similar security bugs to report)
Right, I just wanted to point out above mktemp behavior, since this
seems to be a common misconception.
Thanks for your great work and have a nice day!
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--H1spWtNR+x+ondvy
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7j6lDec
bScR4nUElxqtpDH
=iHbC
-----END PGP SIGNATURE-----
--H1spWtNR+
In Debian Bug tracker #289560, Javier Fernández-Sanguino (jfs) wrote : | #33 |
On Wed, Jan 19, 2005 at 12:04:06PM +0100, Martin Pitt wrote:
> > IMHO
>
> There is no need for this. mktemp generates an error message on its
> own, so this would only write two messages.
Mktemp might not be available. The || test would actually check wether
mktemp fails (not common) and wether it's available. My message is
associated with the later.
>
> > In any case, no use in arguing this when there is so many things to work on
> > (and so many similar security bugs to report)
>
> Right, I just wanted to point out above mktemp behavior, since this
> seems to be a common misconception.
Understood, but you don't cover the event of mktemp not being available.
The bash would output a message but an unknowledgeable user wouldn't know
what's amiss.
>
> Thanks for your great work and have a nice day!
Thank you for your work.
Regards
Javier
Debian Bug Importer (debzilla) wrote : | #34 |
Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 13:20:29 +0100
From: Javier =?iso-8859-
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Wed, Jan 19, 2005 at 12:04:06PM +0100, Martin Pitt wrote:
> > IMHO
>=20
> There is no need for this. mktemp generates an error message on its
> own, so this would only write two messages.
Mktemp might not be available. The || test would actually check wether=20
mktemp fails (not common) and wether it's available. My message is=20
associated with the later.
>=20
> > In any case, no use in arguing this when there is so many things to wor=
k on=20
> > (and so many similar security bugs to report)
>=20
> Right, I just wanted to point out above mktemp behavior, since this
> seems to be a common misconception.
Understood, but you don't cover the event of mktemp not being available.=20
The bash would output a message but an unknowledgeable user wouldn't know=
=20
what's amiss.
>=20
> Thanks for your great work and have a nice day!
Thank you for your work.
Regards
Javier
--mP3DRpeJDSE+ciuQ
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7lCNi4s
ZhTqLwMOMxpnnaB
=qkrH
-----END PGP SIGNATURE-----
--mP3DRpeJDSE+
In Debian Bug tracker #289560, Norbert Tretkowski (tretkowski) wrote : | #35 |
Oh well... looks like I did anything wrong what can be done wrong with
this bugreport...
* Javier Fernández-Sanguino Peña wrote:
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and
> > tcltags.sh so they use mktemp instead of insecure $$ construction to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>
> A few comments and questions regarding this entry:
>
> - the scripts seem to be ancient and no longer supported by either their
> authors nor vim maintainer and have been removed upstream.
You're right, it's better to remove those scripts.
> - no credit is given to me, which I would have appreciated
You're right again, sorry that I forgot that.
So, my plans for the next upload...
- remove vimspell.sh and tcltags.sh
- remove the Ubuntu patch
- notice in the changelog that you discovered these problems
I hope I'll find time next weekend for a new upload.
Regards, Norbert
Debian Bug Importer (debzilla) wrote : | #36 |
Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 21:23:26 +0100
From: Norbert Tretkowski <email address hidden>
To: Javier =?iso-8859-
<email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
Oh well... looks like I did anything wrong what can be done wrong with
this bugreport...=20
* Javier Fern=E1ndez-
> > * added a new patch (stolen from Ubuntu) which modifies vimspell.s=
h and
> > tcltags.sh so they use mktemp instead of insecure $$ constructio=
n to
> > create temporary files (CAN-2005-0069) (closes: #289560)
>=20
> A few comments and questions regarding this entry:
>=20
> - the scripts seem to be ancient and no longer supported by either thei=
r=20
> authors nor vim maintainer and have been removed upstream.
You're right, it's better to remove those scripts.
> - no credit is given to me, which I would have appreciated
You're right again, sorry that I forgot that.
So, my plans for the next upload...
- remove vimspell.sh and tcltags.sh
- remove the Ubuntu patch
- notice in the changelog that you discovered these problems
I hope I'll find time next weekend for a new upload.
Regards, Norbert
In Debian Bug tracker #289560, Javier Fernández-Sanguino (jfs) wrote : | #37 |
> I hope I'll find time next weekend for a new upload.
There's no hurry, take your time, these scripts have been in Debian for
ages. You can even wait until the next upstream version is released, no
sense in making two uploads to fix these.
Regards
Javier
Debian Bug Importer (debzilla) wrote : | #38 |
Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 01:20:07 +0100
From: Javier =?iso-8859-
To: Norbert Tretkowski <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
> I hope I'll find time next weekend for a new upload.
There's no hurry, take your time, these scripts have been in Debian for
ages. You can even wait until the next upstream version is released, no
sense in making two uploads to fix these.
Regards
Javier
In Debian Bug tracker #289560, Helge Kreutzmann (kreutzm) wrote : Woody still vulnerable (or at least no entry in non-vulns-list) | #39 |
reopen 289560
thanks
At least woody is not fixed. I just checked, there is also no entry in
http://
for this issue. Either one (the first preferably) needs to be handled.
Greetings
Helge
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
Debian Bug Importer (debzilla) wrote : | #40 |
Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 10:24:34 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Woody still vulnerable (or at least no entry in non-vulns-list)
reopen 289560
thanks
At least woody is not fixed. I just checked, there is also no entry in
http://
for this issue. Either one (the first preferably) needs to be handled.
Greetings
Helge
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
In Debian Bug tracker #289560, Frank Lichtenheld (djpig) wrote : tagging 289560 | #41 |
# Automatically generated email from bts, devscripts version 2.8.5
tags 289560 - sid
Debian Bug Importer (debzilla) wrote : | #42 |
Message-Id: <email address hidden>
Date: Thu, 20 Jan 2005 22:58:39 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 289560
# Automatically generated email from bts, devscripts version 2.8.5
tags 289560 - sid
In Debian Bug tracker #289560, Steve Langasek (vorlon) wrote : fixed version reaches testing | #43 |
tags 289560 -sarge
thanks
Debian Bug Importer (debzilla) wrote : | #44 |
Message-ID: <email address hidden>
Date: Sat, 22 Jan 2005 21:05:49 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: fixed version reaches testing
tags 289560 -sarge
thanks
In Debian Bug tracker #289560, Norbert Tretkowski (tretkowski) wrote : Re: Bug#289560: Woody still vulnerable (or at least no entry in non-vulns-list) | #45 |
severity 289560 minor
severity 291125 minor
thanks
* Helge Kreutzmann wrote:
> At least woody is not fixed. I just checked, there is also no entry in
> http://
> for this issue. Either one (the first preferably) needs to be handled.
No DSA, statement from security team was: "problem is not in active
code".
I'll try to prepare an update and upload it to woody-proposed-
so it gets into 3.0r5.
Norbert
Debian Bug Importer (debzilla) wrote : | #46 |
Message-ID: <email address hidden>
Date: Sun, 20 Feb 2005 18:07:23 +0100
From: Norbert Tretkowski <email address hidden>
To: Helge Kreutzmann <email address hidden>,
<email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: Woody still vulnerable (or at least no entry in non-vulns-list)
severity 289560 minor
severity 291125 minor
thanks
* Helge Kreutzmann wrote:
> At least woody is not fixed. I just checked, there is also no entry in
> http://
> for this issue. Either one (the first preferably) needs to be handled.
No DSA, statement from security team was: "problem is not in active
code".
I'll try to prepare an update and upload it to woody-proposed-
so it gets into 3.0r5.
Norbert
In Debian Bug tracker #289560, Debian VIM Maintainers (pkg-vim-maintainers) wrote : tagging 289560 | #47 |
# Automatically generated email from bts, devscripts version 2.8.11
tags 289560 + woody
Debian Bug Importer (debzilla) wrote : | #48 |
Message-Id: <email address hidden>
Date: Tue, 22 Mar 2005 11:00:27 +0100
From: "Pierre Habouzit <Debian VIM Maintainers" <email address hidden>
To: <email address hidden>
Subject: tagging 289560
# Automatically generated email from bts, devscripts version 2.8.11
tags 289560 + woody
In Debian Bug tracker #289560, Norbert Tretkowski (tretkowski) wrote : Bug#289560: fixed in vim 6.1.018-1woody1 | #49 |
Source: vim
Source-Version: 6.1.018-1woody1
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
vim-gtk_
to pool/main/
vim-perl_
to pool/main/
vim-python_
to pool/main/
vim-ruby_
to pool/main/
vim-tcl_
to pool/main/
vim_6.1.
to pool/main/
vim_6.1.
to pool/main/
vim_6.1.
to pool/main/
vim_6.1.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
vim - Vi IMproved - enhanced vi editor
vim-gtk - Vi IMproved - GTK version
vim-perl - Vi IMproved, with perl scripting support
vim-python - Vi IMproved, with python scripting support
vim-ruby - Vi IMproved, with ruby scripting support
vim-tcl - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes:
vim (6.1.018-1woody1) stable; urgency=medium
.
* CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
vulnerabil
(closes: #286223)
* CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
* Set maintainer address to project mailinglist on alioth and added myself to
uploaders.
Files:
1cfdd09715be69
a72ece837a1922
776f9a74f34ba5
e7e1230281e4d7
fb8c979819a169
992e0ee6c3ad81
Debian Bug Importer (debzilla) wrote : | #50 |
Message-Id: <email address hidden>
Date: Sun, 03 Apr 2005 08:32:09 -0400
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: Bug#289560: fixed in vim 6.1.018-1woody1
Source: vim
Source-Version: 6.1.018-1woody1
We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:
vim-gtk_
to pool/main/
vim-perl_
to pool/main/
vim-python_
to pool/main/
vim-ruby_
to pool/main/
vim-tcl_
to pool/main/
vim_6.1.
to pool/main/
vim_6.1.
to pool/main/
vim_6.1.
to pool/main/
vim_6.1.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
vim - Vi IMproved - enhanced vi editor
vim-gtk - Vi IMproved - GTK version
vim-perl - Vi IMproved, with perl scripting support
vim-python - Vi IMproved, with python scripting support
vim-ruby - Vi IMproved, with ruby scripting support
vim-tcl - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes:
vim (6.1.018-1woody1) stable; urgency=medium
.
* CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
vulnerabil
(closes: #286223)
* CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
* Set maintainer address to project mailinglist on alioth and added myself to
uploaders.
Files:
1cfdd09715be69
a72ece837a1922
776f9a74f34ba5
e7e1230281e4d71...
Changed in vim: | |
status: | Unknown → Fix Released |
On Sun, Jan 09, 2005 at 10:02:35PM +0100, Bram Moolenaar wrote: doc/vim/ tools/) but are provided with execute permissions.
>
> Javier -
>
> > Reviewing vim as part of the security audit the Audit team [1] is
> > conducting I've found what I believe are some race conditions and symlink
> > attacks through temporary files in vim. They appear in two scripts which
> > are not installed in Debian in binary locations (they are installed under
> > /usr/share/
>
> Thanks for looking into this and providing patches.
>
> Did you contact the original authors, Darren Hiebert and Neil
> Schemenauer?
No, I didn't. I was not sure if they were still active. Do you want me to
forward this?
> I wonder if there isn't a shorter method. The handling of the temp file
> becomes more than half the script this way.
Actually, there is, you could remove the lines that try to use a temporary
file in a temporary directory (below the comments) and just abort with a
"Cannot create temporary file" message if tmp_tagfile (or OUTFILE) are
'none'.
Regards
Javier