Bug 64092 (CVE-2004-1138)

Summary: VUL-0: CVE-2004-1138: vim modeline weirdness
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Mads Martin Joergensen <mmj>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1138: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2004-12-10 01:07:48 UTC 
We received the following report via vendor-sec.
This issue is not fully public yet, please keep any information about it inside SUSE.

Since we have modelines disabled by default a fix in STABLE and a
more verbose explanation in /etc/vimrc is sufficient IMHO.

Date: Thu, 09 Dec 2004 17:57:50 +0100
From: Thierry Carrez <koon@gentoo.org>
To: vendor-sec@lst.de
Cc: security@gentoo.org, ciaranm@gentoo.org
Subject: [vendor-sec] Local privilege escalation fixed in vim patch 6.3.045

Hello everyone,

Ciaran McCreesh, our Gentoo vim maintainer, found and reported upstream
several modeline-related vulnerabilities in vim :

------------------------------------------------------------
It's possible to do some pretty nasty stuff via vim modelines despite
the existing security code.

For example, by passing evil values for a fileformat setting in a
modeline, it's possible to make vim source arbitrary scripts upon
startup. This would hurt on a multiuser system. Here's one way:

User 'fred' creates a file in /home/fred/evil.vim containing lots of
nastiness (for example, "system('echo alias vim=emacs >> ~/.bashrc') |
quit"). He then creates a file in some shared location with a modeline
which does something like"set ft=../../../*fred/evil". User 'joe', who
has ftplugins and modelines enabled, edits this file. This results in a
call of ":runtime!../../../*fred/evil" , which (assuming ~/.vim is in
runtimepath) expands to ~/.vim/../../../*fred/evil which matches
/home/fred/evil.vim.
------------------------------------------------------------

Bram Moolenaar provided the following vim patch, that fixes the reported
vulnerabilities and adds more conservative modeline rights :

------------------------------------------------------------
Patch 6.3.045
Problem:   Unusual characters in an option value may cause unexpected
           behavior, especially for a modeline. (Ciaran McCreesh)
Solution:  Don't allow setting termcap options or 'printdevice' or
           'titleold' in a modeline.  Don't list options for "termcap"
           and "all" in a modeline.  Don't allow unusual characters in
           'filetype', 'syntax', 'backupext', 'keymap', 'patchmode' and
           'langmenu'.
Files:     src/option.c, runtime/doc/options.txt
------------------------------------------------------------

This is semi-public, as the vim version is available, but the Changelog
keeps low profile on the security aspect. The Gentoo packages will be
available soon but we'll keep low profile too (withhold GLSA,
low-profile Changelog) if any of you request a coordinated release.
Comment 1 Mads Martin Joergensen 2004-12-13 21:15:42 UTC 
I agree with Ludwig, that it shouldn't be necessary with an update for this.
I'm updating in STABLE as we speak.
Comment 2 Ludwig Nussel 2004-12-14 18:53:43 UTC 
CAN-2004-1138
Comment 3 Thomas Biege 2009-10-13 20:03:18 UTC 
CVE-2004-1138: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)