Michael S. Gilbert
2008-Nov-25 22:31 UTC
[Secure-testing-team] Bug#506919: vim: multiple vulnerabilities (CVE-2008-3074, CVE-2008-3075, and CVE-2008-3076)
Package: vim Version: 1:7.0.109 Severity: grave Tags: security Justification: user security hole redhat has just released an update that fixes multiple security flaws in vim [1]. these issues are currently reserved in the CVE tracker, but redhat describes the probems as: Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3076) A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075) A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074) versions affected are unclear from the redhat notice, but the problem at least applies to vim version 7.0.109, which they have fixed in rhel5. thanks for working to keep debian secure. [1] https://rhn.redhat.com/errata/RHSA-2008-0580.html -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, ''testing'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages vim depends on: ii libacl1 2.2.47-2 Access control list shared library ii libc6 2.7-16 GNU C Library: Shared libraries ii libgpm2 1.20.4-3 General Purpose Mouse - shared lib ii libncurses5 5.6+20080830-1 shared libraries for terminal hand ii libselinux1 2.0.65-5 SELinux shared libraries ii vim-common 1:7.1.314-3+lenny2 Vi IMproved - Common files ii vim-runtime 1:7.1.314-3+lenny2 Vi IMproved - Runtime files vim recommends no packages. Versions of packages vim suggests: pn ctags <none> (no description available) pn vim-doc <none> (no description available) pn vim-scripts <none> (no description available) -- no debconf information