Ubuntu
vim package

vim: temporary file vulnerabilities (CAN-2005-0069)

Bug #12027 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
vim (Debian)
Fix Released
Unknown
vim (Ubuntu)
Invalid
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #291125 http://bugs.debian.org/291125

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (8.3 KiB)

Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 16:50:17 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: vim: temporary file vulnerabilities (CAN-2005-0069)

--XF85m9dhOBO43t/C
Content-Type: multipart/mixed; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline

--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: vim
Version: 1:6.3-054+1
Severity: grave
Tags: patch security

As described in the Ubuntu advisory below, vim's tcltags and vimspell
scripts use temp files insecurely. I've attached a patch I extraced from
the Ubuntu diff.

----- Forwarded message from Martin Pitt <email address hidden> -----

=46rom: Martin Pitt <email address hidden>
Date: Tue, 18 Jan 2005 17:56:58 +0100
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: [USN-61-1] vim vulnerabilities
User-Agent: Mutt/1.5.6+20040907i

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-61-1 January 18, 2005
vim vulnerabilities
CAN-2005-0069
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

kvim
vim
vim-gnome
vim-gtk
vim-lesstif
vim-perl
vim-python
vim-tcl

The problem can be corrected by upgrading the affected package to
version 1:6.3-025+1ubuntu2.2. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Javier Fern=E1ndez-Sanguino Pe=F1a noticed that the auxillary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim).

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2.diff.gz
      Size/MD5: 425421 ee7e4653fb70fd45329bf5773e610ad6
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2.dsc
      Size/MD5: 1122 9bd9428dd29c8aa562f4b97566b9a05a
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3.orig.tar.gz
      Size/MD5: 5624622 de1c964ceedbc13538da87d2d73fd117

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.3-025+1u=
buntu2.2_all.deb
      Size/MD5: 3421084 8dc7b200376add6ccb2896e2f6e80e0d
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.3-025+1ubun=
tu2.2_all.deb
      Size/MD5: 1646686 2c2716a1dad40612baaaf28ebc0de3a6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
ntu2.2_amd64.deb
      Size/MD5: 2586 1e0b1528b70e54e2bcff3a02acaacbc5
...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Marking as duplicate based on debbugs merge (289560,291125)

This bug has been marked as a duplicate of bug 12030.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 23:45:40 +0100
From: Norbert Tretkowski <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#291125: vim: temporary file vulnerabilities (CAN-2005-0069)

severity 289560 grave
merge 289560 291125
thanks

* Joey Hess wrote:
> As described in the Ubuntu advisory below, vim's tcltags and vimspell
> scripts use temp files insecurely.

Updated package is already building currently.

Norbert

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (5.4 KiB)

Message-Id: <email address hidden>
Date: Wed, 19 Jan 2005 02:17:20 -0500
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: Bug#289560: fixed in vim 1:6.3-058+1

Source: vim
Source-Version: 1:6.3-058+1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

kvim-perl_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-perl_6.3-058+1_alpha.deb
kvim-python_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-python_6.3-058+1_alpha.deb
kvim-ruby_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-ruby_6.3-058+1_alpha.deb
kvim-tcl_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim-tcl_6.3-058+1_alpha.deb
kvim_6.3-058+1_alpha.deb
  to pool/main/v/vim/kvim_6.3-058+1_alpha.deb
vim-common_6.3-058+1_all.deb
  to pool/main/v/vim/vim-common_6.3-058+1_all.deb
vim-doc_6.3-058+1_all.deb
  to pool/main/v/vim/vim-doc_6.3-058+1_all.deb
vim-gnome_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-gnome_6.3-058+1_alpha.deb
vim-gtk_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-gtk_6.3-058+1_alpha.deb
vim-lesstif_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-lesstif_6.3-058+1_alpha.deb
vim-perl_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-perl_6.3-058+1_alpha.deb
vim-python_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-python_6.3-058+1_alpha.deb
vim-ruby_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-ruby_6.3-058+1_alpha.deb
vim-tcl_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim-tcl_6.3-058+1_alpha.deb
vim_6.3-058+1.diff.gz
  to pool/main/v/vim/vim_6.3-058+1.diff.gz
vim_6.3-058+1.dsc
  to pool/main/v/vim/vim_6.3-058+1.dsc
vim_6.3-058+1_alpha.deb
  to pool/main/v/vim/vim_6.3-058+1_alpha.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 18 Jan 2005 20:12:25 +0100
Source: vim
Binary: vim-lesstif vim-common vim-doc vim-gnome kvim-ruby vim vim-gtk kvim-perl vim-perl kvim-tcl vim-tiny vim-ruby vim-python vim-tcl kvim-python kvim
Architecture: source alpha all
Version: 1:6.3-058+1
Distribution: unstable
Urgency: high
Maintainer: Norbert Tretkowski <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
 kvim - Vi IMproved - KDE 3.x version
 kvim-perl - Vi IMproved - KDE 3.x version with Perl scripting support
 kvim-python - Vi IMproved - KDE 3.x version with Python scripting support
 kvim-ruby - Vi IMproved - KDE 3.x version with Ruby scripting support
 kvim-tcl - Vi IMproved - KDE 3.x version with TCL scripting support
 vim - Vi IMproved - enhanced vi editor
 vim-common - Vi IMproved - Common files
 vim-doc - Vi IMproved - Documentatio...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 10:24:34 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Woody still vulnerable (or at least no entry in non-vulns-list)

reopen 289560
thanks

At least woody is not fixed. I just checked, there is also no entry in
http://www.debian.org/security/nonvulns-woody
for this issue. Either one (the first preferably) needs to be handled.

Greetings

          Helge
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
                       gpg signed mail preferred
    64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 20 Jan 2005 22:58:39 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 289560

# Automatically generated email from bts, devscripts version 2.8.5
tags 289560 - sid

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 22 Jan 2005 21:05:49 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: fixed version reaches testing

tags 289560 -sarge
thanks

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 20 Feb 2005 18:07:23 +0100
From: Norbert Tretkowski <email address hidden>
To: Helge Kreutzmann <email address hidden>,
 <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: Woody still vulnerable (or at least no entry in non-vulns-list)

severity 289560 minor
severity 291125 minor
thanks

* Helge Kreutzmann wrote:
> At least woody is not fixed. I just checked, there is also no entry in
> http://www.debian.org/security/nonvulns-woody
> for this issue. Either one (the first preferably) needs to be handled.

No DSA, statement from security team was: "problem is not in active
code".

I'll try to prepare an update and upload it to woody-proposed-updates
so it gets into 3.0r5.

Norbert

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 22 Mar 2005 11:00:27 +0100
From: "Pierre Habouzit <Debian VIM Maintainers" <email address hidden>
To: <email address hidden>
Subject: tagging 289560

# Automatically generated email from bts, devscripts version 2.8.11
tags 289560 + woody

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (3.8 KiB)

Message-Id: <email address hidden>
Date: Sun, 03 Apr 2005 08:32:09 -0400
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: Bug#289560: fixed in vim 6.1.018-1woody1

Source: vim
Source-Version: 6.1.018-1woody1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-gtk_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-gtk_6.1.018-1woody1_i386.deb
vim-perl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-perl_6.1.018-1woody1_i386.deb
vim-python_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-python_6.1.018-1woody1_i386.deb
vim-ruby_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-ruby_6.1.018-1woody1_i386.deb
vim-tcl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-tcl_6.1.018-1woody1_i386.deb
vim_6.1.018-1woody1.diff.gz
  to pool/main/v/vim/vim_6.1.018-1woody1.diff.gz
vim_6.1.018-1woody1.dsc
  to pool/main/v/vim/vim_6.1.018-1woody1.dsc
vim_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim_6.1.018-1woody1_i386.deb
vim_6.1.018.orig.tar.gz
  to pool/main/v/vim/vim_6.1.018.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
 vim - Vi IMproved - enhanced vi editor
 vim-gtk - Vi IMproved - GTK version
 vim-perl - Vi IMproved, with perl scripting support
 vim-python - Vi IMproved, with python scripting support
 vim-ruby - Vi IMproved, with ruby scripting support
 vim-tcl - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes:
 vim (6.1.018-1woody1) stable; urgency=medium
 .
   * CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
     vulnerabilities related to the use of options in modelines.
     (closes: #286223)
   * CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
     temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
   * Set maintainer address to project mailinglist on alioth and added myself to
     uploaders.
Files:
 1cfdd09715be69c8df993ad9e662b92f 804 editors optional vim_6.1.018-1woody1.dsc
 a72ece837a192262ef9daf29566fd6c1 4430373 editors optional vim_6.1.018.orig.tar.gz
 776f9a74f34ba52f9d4040323657d7df 30282 editors optional vim_6.1.018-1woody1.diff.gz
 e7e1230281e4d71...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (3.8 KiB)

Message-Id: <email address hidden>
Date: Sun, 03 Apr 2005 08:32:09 -0400
From: Norbert Tretkowski <email address hidden>
To: <email address hidden>
Subject: Bug#291125: fixed in vim 6.1.018-1woody1

Source: vim
Source-Version: 6.1.018-1woody1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-gtk_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-gtk_6.1.018-1woody1_i386.deb
vim-perl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-perl_6.1.018-1woody1_i386.deb
vim-python_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-python_6.1.018-1woody1_i386.deb
vim-ruby_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-ruby_6.1.018-1woody1_i386.deb
vim-tcl_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim-tcl_6.1.018-1woody1_i386.deb
vim_6.1.018-1woody1.diff.gz
  to pool/main/v/vim/vim_6.1.018-1woody1.diff.gz
vim_6.1.018-1woody1.dsc
  to pool/main/v/vim/vim_6.1.018-1woody1.dsc
vim_6.1.018-1woody1_i386.deb
  to pool/main/v/vim/vim_6.1.018-1woody1_i386.deb
vim_6.1.018.orig.tar.gz
  to pool/main/v/vim/vim_6.1.018.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <email address hidden> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 3 Apr 2005 12:35:25 +0200
Source: vim
Binary: vim-python vim-gtk vim-ruby vim vim-tcl vim-perl
Architecture: source i386
Version: 6.1.018-1woody1
Distribution: stable
Urgency: medium
Maintainer: Debian VIM Maintainers <email address hidden>
Changed-By: Norbert Tretkowski <email address hidden>
Description:
 vim - Vi IMproved - enhanced vi editor
 vim-gtk - Vi IMproved - GTK version
 vim-perl - Vi IMproved, with perl scripting support
 vim-python - Vi IMproved, with python scripting support
 vim-ruby - Vi IMproved, with ruby scripting support
 vim-tcl - Vi IMproved, with tcl scripting support
Closes: 286223 289560 291125
Changes:
 vim (6.1.018-1woody1) stable; urgency=medium
 .
   * CAN-2004-1138: Backported and applied patch 6.3.045 which fixes several
     vulnerabilities related to the use of options in modelines.
     (closes: #286223)
   * CAN-2005-0069: Use mktemp instead of insecure $$ construction to create
     temporary files in vimspell.sh and tcltags. (closes: #289560, #291125)
   * Set maintainer address to project mailinglist on alioth and added myself to
     uploaders.
Files:
 1cfdd09715be69c8df993ad9e662b92f 804 editors optional vim_6.1.018-1woody1.dsc
 a72ece837a192262ef9daf29566fd6c1 4430373 editors optional vim_6.1.018.orig.tar.gz
 776f9a74f34ba52f9d4040323657d7df 30282 editors optional vim_6.1.018-1woody1.diff.gz
 e7e1230281e4d71...

Read more...

Bug Watch Updater (bug-watch-updater)
Changed in vim:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.