Comment 1 for bug 12027

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 16:50:17 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: vim: temporary file vulnerabilities (CAN-2005-0069)

--XF85m9dhOBO43t/C
Content-Type: multipart/mixed; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline

--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: vim
Version: 1:6.3-054+1
Severity: grave
Tags: patch security

As described in the Ubuntu advisory below, vim's tcltags and vimspell
scripts use temp files insecurely. I've attached a patch I extraced from
the Ubuntu diff.

----- Forwarded message from Martin Pitt <email address hidden> -----

=46rom: Martin Pitt <email address hidden>
Date: Tue, 18 Jan 2005 17:56:58 +0100
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: [USN-61-1] vim vulnerabilities
User-Agent: Mutt/1.5.6+20040907i

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-61-1 January 18, 2005
vim vulnerabilities
CAN-2005-0069
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

kvim
vim
vim-gnome
vim-gtk
vim-lesstif
vim-perl
vim-python
vim-tcl

The problem can be corrected by upgrading the affected package to
version 1:6.3-025+1ubuntu2.2. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Javier Fern=E1ndez-Sanguino Pe=F1a noticed that the auxillary scripts
"tcltags" and "vimspell.sh" created temporary files in an insecure
manner. This could allow a symbolic link attack to create or overwrite
arbitrary files with the privileges of the user invoking the script
(either by calling it directly or by execution through vim).

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2.diff.gz
      Size/MD5: 425421 ee7e4653fb70fd45329bf5773e610ad6
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2.dsc
      Size/MD5: 1122 9bd9428dd29c8aa562f4b97566b9a05a
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3.orig.tar.gz
      Size/MD5: 5624622 de1c964ceedbc13538da87d2d73fd117

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.3-025+1u=
buntu2.2_all.deb
      Size/MD5: 3421084 8dc7b200376add6ccb2896e2f6e80e0d
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.3-025+1ubun=
tu2.2_all.deb
      Size/MD5: 1646686 2c2716a1dad40612baaaf28ebc0de3a6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
ntu2.2_amd64.deb
      Size/MD5: 2586 1e0b1528b70e54e2bcff3a02acaacbc5
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
untu2.2_amd64.deb
      Size/MD5: 805722 51093d7843d5fb20ece35d2f53eadb0d
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
ubuntu2.2_amd64.deb
      Size/MD5: 802452 d4fd55aca188063434361f5674805dec
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
25+1ubuntu2.2_amd64.deb
      Size/MD5: 784100 1d477c5f09466e8942d0f7da3c221afd
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
1ubuntu2.2_amd64.deb
      Size/MD5: 809126 646c31a0d612b398943b4c2a42c9b6f9
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
5+1ubuntu2.2_amd64.deb
      Size/MD5: 802470 ede70bb09d39b7571fae1192900b0385
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
ubuntu2.2_amd64.deb
      Size/MD5: 801160 aa65781693eca8d06230bc5f8ee29463
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2_amd64.deb
      Size/MD5: 765120 b5425b1b087b9528e7e4a9ef25493299

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
ntu2.2_i386.deb
      Size/MD5: 2590 edbd9dc0be6acaea44ee02e09c6e5c3e
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
untu2.2_i386.deb
      Size/MD5: 702656 7a12cb5196a1257eae527f5b231d763d
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
ubuntu2.2_i386.deb
      Size/MD5: 700006 486ea88f3d0a2c4eb1804c09bca8418b
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
25+1ubuntu2.2_i386.deb
      Size/MD5: 682462 61c39ffed3017081974a3af522b61959
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
1ubuntu2.2_i386.deb
      Size/MD5: 707674 05989ac6496d7a1db524b68bd1acd313
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
5+1ubuntu2.2_i386.deb
      Size/MD5: 700022 09e7ebbe082c99520d11fa33277cc212
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
ubuntu2.2_i386.deb
      Size/MD5: 699634 673329baa7cd9aca70cca9f87943a628
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2_i386.deb
      Size/MD5: 680130 305b1d85bbdb52dd9869a21664049be3

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
ntu2.2_powerpc.deb
      Size/MD5: 2586 f56083ef36048c9b94c41a37c35633dc
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
untu2.2_powerpc.deb
      Size/MD5: 787984 e38f3d9674200796e39438ece635ebf7
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
ubuntu2.2_powerpc.deb
      Size/MD5: 785338 bdb6dd908d78a1172a431b4dbbea97f5
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
25+1ubuntu2.2_powerpc.deb
      Size/MD5: 769822 b4dc7592d9a49fa63488ff35b7f9b97d
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
1ubuntu2.2_powerpc.deb
      Size/MD5: 792362 76ae3cbe76e78757cd82b08b8ebe2aa8
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
5+1ubuntu2.2_powerpc.deb
      Size/MD5: 785354 c4e418a1fba8015c2416b662a77a257f
    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
ubuntu2.2_powerpc.deb
      Size/MD5: 784868 c9f9251376c1cb48552fd8012acbec7c
    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
2_powerpc.deb
      Size/MD5: 754620 c69a3dc15fddab0bad774759dd3ea6ae

----- End forwarded message -----

--=20
see shy jo

--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="vim.tmpfile"
Content-Transfer-Encoding: quoted-printable

diff -urN vim63/runtime/tools/tcltags vim63.new/runtime/tools/tcltags
--- vim63/runtime/tools/tcltags 1999-08-01 14:01:46.000000000 +0200
+++ vim63.new/runtime/tools/tcltags 2005-01-18 16:25:24.452393560 +0100
@@ -8,7 +8,8 @@
 program_version=3D"0.3"
 program_author=3D"Darren Hiebert"
 <email address hidden>"
-tmp_tagfile=3D/tmp/${program_name}.$$
+tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || exit 1
+trap "rm -rf $tmp_tagfile" 0 1 2 3 9 11 13 15
=20
 usage=3D"\
 Usage: $program_name [-au] [-{f|o} tagfile] [--format=3Dn] file(s)
diff -urN vim63/runtime/tools/vimspell.sh vim63.new/runtime/tools/vimspell.=
sh
--- vim63/runtime/tools/vimspell.sh 1999-08-01 14:01:46.000000000 +0200
+++ vim63.new/runtime/tools/vimspell.sh 2005-01-18 16:20:40.774519152 +0100
@@ -13,9 +13,7 @@
 # March 1999
=20
 INFILE=3D$1
-OUTFILE=3D/tmp/vimspell.$$
-# if you have "tempfile", use the following line
-#OUTFILE=3D`tempfile`
+OUTFILE=3D`mktemp -t vimspellXXXXXX` || exit 1
=20
 #
 # local spellings

--CE+1k2dSO48ffgeK--

--XF85m9dhOBO43t/C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7YSXd8HHehbQuO8RAkcwAJwKqEvPHJIcA35dIGiAPHBzzjEGuwCfYPZ+
U6tUcStJTCtIfROCYYq/Jwg=
=PeGK
-----END PGP SIGNATURE-----

--XF85m9dhOBO43t/C--