Attachment 27784 Details for Bug 65025

vendor-sec discussion

vim.txt (text/plain), 9.30 KB, created by Thomas Biege on 2005-01-20 20:57:27 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Thomas Biege

Created: 2005-01-20 20:57:27 UTC

Size: 9.30 KB

patch

obsolete

>--n8g4imXOkfNTN/H1
>Content-Type: text/plain; charset=iso-8859-1
>Content-Disposition: inline
>Content-Transfer-Encoding: quoted-printable
>
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
>=3D=3D=3D=3D=3D=3D=3D=3D=3D
>Ubuntu Security Notice USN-61-1		   January 18, 2005
>vim vulnerabilities
>CAN-2005-0069
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
>=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
>A security issue affects the following Ubuntu releases:
>
>Ubuntu 4.10 (Warty Warthog)
>
>The following packages are affected:
>
>kvim
>vim
>vim-gnome
>vim-gtk
>vim-lesstif
>vim-perl
>vim-python
>vim-tcl
>
>The problem can be corrected by upgrading the affected package to
>version 1:6.3-025+1ubuntu2.2. In general, a standard system upgrade is
>sufficient to effect the necessary changes.
>
>Details follow:
>
>Javier Fern=E1ndez-Sanguino Pe=F1a noticed that the auxillary scripts
>"tcltags" and "vimspell.sh" created temporary files in an insecure
>manner. This could allow a symbolic link attack to create or overwrite
>arbitrary files with the privileges of the user invoking the script
>(either by calling it directly or by execution through vim).
>
>  Source archives:
>
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
>2.diff.gz
>      Size/MD5:   425421 ee7e4653fb70fd45329bf5773e610ad6
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
>2.dsc
>      Size/MD5:     1122 9bd9428dd29c8aa562f4b97566b9a05a
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3.orig.tar.gz
>      Size/MD5:  5624622 de1c964ceedbc13538da87d2d73fd117
>
>  Architecture independent packages:
>
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.3-025+1u=
>buntu2.2_all.deb
>      Size/MD5:  3421084 8dc7b200376add6ccb2896e2f6e80e0d
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.3-025+1ubun=
>tu2.2_all.deb
>      Size/MD5:  1646686 2c2716a1dad40612baaaf28ebc0de3a6
>
>  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
>
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
>ntu2.2_amd64.deb
>      Size/MD5:     2586 1e0b1528b70e54e2bcff3a02acaacbc5
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
>untu2.2_amd64.deb
>      Size/MD5:   805722 51093d7843d5fb20ece35d2f53eadb0d
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
>ubuntu2.2_amd64.deb
>      Size/MD5:   802452 d4fd55aca188063434361f5674805dec
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
>25+1ubuntu2.2_amd64.deb
>      Size/MD5:   784100 1d477c5f09466e8942d0f7da3c221afd
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
>1ubuntu2.2_amd64.deb
>      Size/MD5:   809126 646c31a0d612b398943b4c2a42c9b6f9
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
>5+1ubuntu2.2_amd64.deb
>      Size/MD5:   802470 ede70bb09d39b7571fae1192900b0385
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
>ubuntu2.2_amd64.deb
>      Size/MD5:   801160 aa65781693eca8d06230bc5f8ee29463
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
>2_amd64.deb
>      Size/MD5:   765120 b5425b1b087b9528e7e4a9ef25493299
>
>  i386 architecture (x86 compatible Intel/AMD)
>
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
>ntu2.2_i386.deb
>      Size/MD5:     2590 edbd9dc0be6acaea44ee02e09c6e5c3e
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
>untu2.2_i386.deb
>      Size/MD5:   702656 7a12cb5196a1257eae527f5b231d763d
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
>ubuntu2.2_i386.deb
>      Size/MD5:   700006 486ea88f3d0a2c4eb1804c09bca8418b
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
>25+1ubuntu2.2_i386.deb
>      Size/MD5:   682462 61c39ffed3017081974a3af522b61959
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
>1ubuntu2.2_i386.deb
>      Size/MD5:   707674 05989ac6496d7a1db524b68bd1acd313
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
>5+1ubuntu2.2_i386.deb
>      Size/MD5:   700022 09e7ebbe082c99520d11fa33277cc212
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
>ubuntu2.2_i386.deb
>      Size/MD5:   699634 673329baa7cd9aca70cca9f87943a628
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
>2_i386.deb
>      Size/MD5:   680130 305b1d85bbdb52dd9869a21664049be3
>
>  powerpc architecture (Apple Macintosh G3/G4/G5)
>
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu=
>ntu2.2_powerpc.deb
>      Size/MD5:     2586 f56083ef36048c9b94c41a37c35633dc
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub=
>untu2.2_powerpc.deb
>      Size/MD5:   787984 e38f3d9674200796e39438ece635ebf7
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1=
>ubuntu2.2_powerpc.deb
>      Size/MD5:   785338 bdb6dd908d78a1172a431b4dbbea97f5
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0=
>25+1ubuntu2.2_powerpc.deb
>      Size/MD5:   769822 b4dc7592d9a49fa63488ff35b7f9b97d
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+=
>1ubuntu2.2_powerpc.deb
>      Size/MD5:   792362 76ae3cbe76e78757cd82b08b8ebe2aa8
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02=
>5+1ubuntu2.2_powerpc.deb
>      Size/MD5:   785354 c4e418a1fba8015c2416b662a77a257f
>    http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1=
>ubuntu2.2_powerpc.deb
>      Size/MD5:   784868 c9f9251376c1cb48552fd8012acbec7c
>    http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.=
>2_powerpc.deb
>      Size/MD5:   754620 c69a3dc15fddab0bad774759dd3ea6ae
>
>--n8g4imXOkfNTN/H1
>Content-Type: application/pgp-signature; name="signature.asc"
>Content-Description: Digital signature
>Content-Disposition: inline
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (GNU/Linux)
>
>iD8DBQFB7T/aDecnbV4Fd/IRAuErAJsEN8Ym8mpYVwHnXo5CRhejlevN/gCeLLUk
>U+By5FU00FDUY1mRgjiOpDo=
>=qjy3
>-----END PGP SIGNATURE-----
>
>--n8g4imXOkfNTN/H1--
>
>--Boundary-00=_5527Br9WB89JHab--
>
>
>----- Forwarded message from Andreas Liebschner <fizban@slackware.com> -----
>
>From: Andreas Liebschner <fizban@slackware.com>
>To: vendor-sec@lst.de
>Subject: [vendor-sec] About CAN-2005-0069
>Errors-To: vendor-sec-admin@lst.de
>Date: Wed, 19 Jan 2005 11:40:21 -0800 (PST)
>
>
>Hi vendors,
>
>Speaking about http://secunia.com/advisories/13841/ (CAN-2005-0069).. is
>it me or no one discussed about this yet, here on vendor-sec?
>
>Someone reported me that Ubuntu fixed this issue in their latest vim
>package - since I don't follow their developments I'm not sure on that
>statement - does anyone have already a working and "safe" patch for this
>issue (and only for this)?
>
>We were about to release a new vim package, but since there's this issue
>open (even if it's minor) we thought it was better to wait and see if
>there's a patch around (found nothing on vim.org - unless it's hidden in
>some other patch).
>
>Thanks,
>
>--
>-andreas liebschner
>_______________________________________________
>Vendor Security mailing list
>Vendor Security@lst.de
>https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
>
>----- End forwarded message -----
>
>
>----- Forwarded message from Martin Pitt <martin.pitt@canonical.com> -----
>
>From: Martin Pitt <martin.pitt@canonical.com>
>To: vendor-sec@lst.de
>Subject: Re: [vendor-sec] About CAN-2005-0069
>Mail-Followup-To: vendor-sec@lst.de
>User-Agent: Mutt/1.5.6+20040907i
>Errors-To: vendor-sec-admin@lst.de
>Date: Wed, 19 Jan 2005 20:56:17 +0100
>
>Hi!
>
>Andreas Liebschner [2005-01-19 11:40 -0800]:
>> Speaking about http://secunia.com/advisories/13841/ (CAN-2005-0069).. is
>> it me or no one discussed about this yet, here on vendor-sec?
>>
>> Someone reported me that Ubuntu fixed this issue in their latest vim
>> package
>
>Confirmed, I made the update.
>
>> - does anyone have already a working and "safe" patch for this
>> issue (and only for this)?
>
>Attached. It's trivial and only fixes the tempfiles.
>
>Have a nice day!
>
>Martin
>--
>Martin Pitt                       http://www.piware.de
>Ubuntu Developer            http://www.ubuntulinux.org
>Ubuntu Developer            http://www.ubuntulinux.org
>Debian GNU/Linux Developer       http://www.debian.org
>
>diff -urN vim63/runtime/tools/tcltags vim63.new/runtime/tools/tcltags
>--- vim63/runtime/tools/tcltags 1999-08-01 14:01:46.000000000 +0200
>+++ vim63.new/runtime/tools/tcltags     2005-01-18 16:25:24.452393560 +0100
>@@ -8,7 +8,8 @@
> program_version="0.3"
> program_author="Darren Hiebert"
> author_email="darren@hiebert.com"
>-tmp_tagfile=/tmp/${program_name}.$$
>+tmp_tagfile=`mktemp -t tcltagXXXXXX` || exit 1
>+trap "rm -rf $tmp_tagfile" 0 1 2 3 9 11 13 15
>
> usage="\
> Usage: $program_name [-au] [-{f|o} tagfile] [--format=n] file(s)
>diff -urN vim63/runtime/tools/vimspell.sh vim63.new/runtime/tools/vimspell.sh
>--- vim63/runtime/tools/vimspell.sh     1999-08-01 14:01:46.000000000 +0200
>+++ vim63.new/runtime/tools/vimspell.sh 2005-01-18 16:20:40.774519152 +0100
>@@ -13,9 +13,7 @@
> # March 1999
>
> INFILE=$1
>-OUTFILE=/tmp/vimspell.$$
>-# if you have "tempfile", use the following line
>-#OUTFILE=`tempfile`
>+OUTFILE=`mktemp -t vimspellXXXXXX` || exit 1
>
> #
> # local spellings
>
>
>
>
>----- End forwarded message -----
>
>

Actions: View

Attachments on bug 65025: 27784 | 27785