Package: vim
Version: 1:6.3-054+1
Severity: grave
Tags: patch security
As described in the Ubuntu advisory below, vim's tcltags and vimspell
scripts use temp files insecurely. I've attached a patch I extraced from
the Ubuntu diff.
----- Forwarded message from Martin Pitt <email address hidden> -----
=46rom: Martin Pitt <email address hidden>
Date: Tue, 18 Jan 2005 17:56:58 +0100
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: [USN-61-1] vim vulnerabilities
User-Agent: Mutt/1.5.6+20040907i
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-61-1 January 18, 2005
vim vulnerabilities
CAN-2005-0069
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
kvim
vim
vim-gnome
vim-gtk
vim-lesstif
vim-perl
vim-python
vim-tcl
The problem can be corrected by upgrading the affected package to
version 1:6.3-025+1ubuntu2.2. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
Javier Fern=E1ndez-Sanguino Pe=F1a noticed that the auxillary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim).
Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 16:50:17 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: vim: temporary file vulnerabilities (CAN-2005-0069)
--XF85m9dhOBO43t/C "CE+1k2dSO48ffg eK" Disposition: inline
Content-Type: multipart/mixed; boundary=
Content-
--CE+1k2dSO48ffgeK Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Package: vim
Version: 1:6.3-054+1
Severity: grave
Tags: patch security
As described in the Ubuntu advisory below, vim's tcltags and vimspell
scripts use temp files insecurely. I've attached a patch I extraced from
the Ubuntu diff.
----- Forwarded message from Martin Pitt <email address hidden> -----
=46rom: Martin Pitt <email address hidden> 5.6+20040907i
Date: Tue, 18 Jan 2005 17:56:58 +0100
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: [USN-61-1] vim vulnerabilities
User-Agent: Mutt/1.
=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D= 3D=3D=3D= 3D=3D=3D= 3D 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D= 3D=3D=3D= 3D=3D=3D= 3D
=3D=3D=
=3D=3D=
Ubuntu Security Notice USN-61-1 January 18, 2005
vim vulnerabilities
CAN-2005-0069
=3D=3D=
=3D=3D=
=3D=3D=
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
kvim
vim
vim-gnome
vim-gtk
vim-lesstif
vim-perl
vim-python
vim-tcl
The problem can be corrected by upgrading the affected package to 1ubuntu2. 2. In general, a standard system upgrade is
version 1:6.3-025+
sufficient to effect the necessary changes.
Details follow:
Javier Fern=E1ndez- Sanguino Pe=F1a noticed that the auxillary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim).
Source archives:
http:// security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim_ 6.3-025+ 1ubuntu2. = 5329bf5773e610a d6 security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim_ 6.3-025+ 1ubuntu2. = 562f4b97566b9a0 5a security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim_ 6.3.orig. tar.gz 538da87d2d73fd1 17
2.diff.gz
Size/MD5: 425421 ee7e4653fb70fd4
http://
2.dsc
Size/MD5: 1122 9bd9428dd29c8aa
http://
Size/MD5: 5624622 de1c964ceedbc13
Architecture independent packages:
http:// security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim- common_ 6.3-025+ 1u= ccb2896e2f6e80e 0d security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim- doc_6.3- 025+1ubun= 2baaaf28ebc0de3 a6
buntu2.2_all.deb
Size/MD5: 3421084 8dc7b200376add6
http://
tu2.2_all.deb
Size/MD5: 1646686 2c2716a1dad4061
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http:// security. ubuntu. com/ubuntu/ pool/universe/ v/vim/kvim_ 6.3-025+ 1ubu= 2bcff3a02acaacb c5 security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim- gnome_6. 3-025+1ub= 0ece35d2f53eadb 0d security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- gtk_6.3- 025+1= 434361f5674805d ec security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- lesstif_ 6.3-0= 2_amd64. deb 942d0f7da3c221a fd security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- perl_6. 3-025+= 2_amd64. deb 8943b4c2a42c9b6 f9 security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- python_ 6.3-02= 2_amd64. deb 71fae1192900b03 85 security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- tcl_6.3- 025+1= 06230bc5f8ee294 63 security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim_ 6.3-025+ 1ubuntu2. = 8e7e4a9ef254932 99
ntu2.2_amd64.deb
Size/MD5: 2586 1e0b1528b70e54e
http://
untu2.2_amd64.deb
Size/MD5: 805722 51093d7843d5fb2
http://
ubuntu2.2_amd64.deb
Size/MD5: 802452 d4fd55aca188063
http://
25+1ubuntu2.
Size/MD5: 784100 1d477c5f09466e8
http://
1ubuntu2.
Size/MD5: 809126 646c31a0d612b39
http://
5+1ubuntu2.
Size/MD5: 802470 ede70bb09d39b75
http://
ubuntu2.2_amd64.deb
Size/MD5: 801160 aa65781693eca8d
http://
2_amd64.deb
Size/MD5: 765120 b5425b1b087b952
i386 architecture (x86 compatible Intel/AMD)
http:// security. ubuntu. com/ubuntu/ pool/universe/ v/vim/kvim_ 6.3-025+ 1ubu= a44ee02e09c6e5c 3e security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim- gnome_6. 3-025+1ub= eae527f5b231d76 3d security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- gtk_6.3- 025+1= eb1804c09bca841 8b security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- lesstif_ 6.3-0= 2_i386. deb 1974a3af522b619 59 security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- perl_6. 3-025+= db524b68bd1acd3 13 security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- python_ 6.3-02= 2_i386. deb 20d11fa33277cc2 12 security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- tcl_6.3- 025+1= a70cca9f87943a6 28 security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim_ 6.3-025+ 1ubuntu2. = d9869a21664049b e3
ntu2.2_i386.deb
Size/MD5: 2590 edbd9dc0be6acae
http://
untu2.2_i386.deb
Size/MD5: 702656 7a12cb5196a1257
http://
ubuntu2.2_i386.deb
Size/MD5: 700006 486ea88f3d0a2c4
http://
25+1ubuntu2.
Size/MD5: 682462 61c39ffed301708
http://
1ubuntu2.2_i386.deb
Size/MD5: 707674 05989ac6496d7a1
http://
5+1ubuntu2.
Size/MD5: 700022 09e7ebbe082c995
http://
ubuntu2.2_i386.deb
Size/MD5: 699634 673329baa7cd9ac
http://
2_i386.deb
Size/MD5: 680130 305b1d85bbdb52d
powerpc architecture (Apple Macintosh G3/G4/G5)
http:// security. ubuntu. com/ubuntu/ pool/universe/ v/vim/kvim_ 6.3-025+ 1ubu= b94c41a37c35633 dc security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim- gnome_6. 3-025+1ub= 6e39438ece635eb f7 security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- gtk_6.3- 025+1= 2_powerpc. deb 72a431b4dbbea97 f5 security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- lesstif_ 6.3-0= 2_powerpc. deb 63488ff35b7f9b9 7d security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- perl_6. 3-025+= 2_powerpc. deb 7cd82b08b8ebe2a a8 security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- python_ 6.3-02= 2_powerpc. deb c2416b662a77a25 7f security. ubuntu. com/ubuntu/ pool/universe/ v/vim/vim- tcl_6.3- 025+1= 2_powerpc. deb 8552fd8012acbec 7c security. ubuntu. com/ubuntu/ pool/main/ v/vim/vim_ 6.3-025+ 1ubuntu2. = bad774759dd3ea6 ae
ntu2.2_powerpc.deb
Size/MD5: 2586 f56083ef36048c9
http://
untu2.2_powerpc.deb
Size/MD5: 787984 e38f3d967420079
http://
ubuntu2.
Size/MD5: 785338 bdb6dd908d78a11
http://
25+1ubuntu2.
Size/MD5: 769822 b4dc7592d9a49fa
http://
1ubuntu2.
Size/MD5: 792362 76ae3cbe76e7875
http://
5+1ubuntu2.
Size/MD5: 785354 c4e418a1fba8015
http://
ubuntu2.
Size/MD5: 784868 c9f9251376c1cb4
http://
2_powerpc.deb
Size/MD5: 754620 c69a3dc15fddab0
----- End forwarded message -----
--=20
see shy jo
--CE+1k2dSO48ffgeK Disposition: attachment; filename= "vim.tmpfile" Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -urN vim63/runtime/ tools/tcltags vim63.new/ runtime/ tools/tcltags tools/tcltags 1999-08-01 14:01:46.000000000 +0200 runtime/ tools/tcltags 2005-01-18 16:25:24.452393560 +0100 version= 3D"0.3" author= 3D"Darren Hiebert" 3D/tmp/ ${program_ name}.$ $ 3D`mktemp -t tcltagXXXXXX` || exit 1 tools/vimspell. sh vim63.new/ runtime/ tools/vimspell. = tools/vimspell. sh 1999-08-01 14:01:46.000000000 +0200 runtime/ tools/vimspell. sh 2005-01-18 16:20:40.774519152 +0100 3D/tmp/ vimspell. $$ 3D`tempfile`
--- vim63/runtime/
+++ vim63.new/
@@ -8,7 +8,8 @@
program_
program_
<email address hidden>"
-tmp_tagfile=
+tmp_tagfile=
+trap "rm -rf $tmp_tagfile" 0 1 2 3 9 11 13 15
=20
usage=3D"\
Usage: $program_name [-au] [-{f|o} tagfile] [--format=3Dn] file(s)
diff -urN vim63/runtime/
sh
--- vim63/runtime/
+++ vim63.new/
@@ -13,9 +13,7 @@
# March 1999
=20
INFILE=3D$1
-OUTFILE=
-# if you have "tempfile", use the following line
-#OUTFILE=
+OUTFILE=3D`mktemp -t vimspellXXXXXX` || exit 1
=20
#
# local spellings
--CE+1k2dSO48ff geK--
--XF85m9dhOBO43t/C pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
HehbQuO8RAkcwAJ wKqEvPHJIcA35dI GiAPHBzzjEGuwCf YPZ+ CYYq/Jwg=
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB7YSXd8H
U6tUcStJTCtIfRO
=PeGK
-----END PGP SIGNATURE-----
--XF85m9dhOBO43 t/C--