VIM and NVD Vulnerability

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

VIM and NVD Vulnerability

Ramsey, Susanne B.
Greetings;

The National Vulnerability Database (NVD) lists a high vulnerability for VIM 8.0.  https://nvd.nist.gov/vuln/detail/CVE-2017-11109
        Vim 8.0 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted source (aka -S) file.
     NOTE: there might be a limited number of scenarios in which this has security relevance.


Unfortunately, the info provided in the CVE does not specify if it is only the initial release 8.0 or the subsequent patched versions that are vulnerable.  I have searched the VIM website readme and other documents but can’t find the answer, so I am turning to you.  I appreciate your assistance.  Is the current version still vulnerable to the issue noted above or has this been remediated in the patch updates?

Best regards,
Susanne Ramsey


--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: VIM and NVD Vulnerability

Tim Chase
While I can see value in fixing the invalid-free instance described,
a vimscript can already call out to any shell command it wants.

  $ echo 'Important file, do not delete'! > important_file.txt
  $ echo "call system('touch demo.txt')" > demo.vim
  $ echo "call system('rm important_file.txt')" >> demo.vim
  $ vim -S demo.vim -cq
  $ ls demo.txt important_file.txt
  demo.txt

So I'm not sure there's any *security* issue here that doesn't come
with being able to execute arbitrary commands.

-tim



On 2017-09-28 18:29, Ramsey, Susanne B. wrote:

> Greetings;
>
> The National Vulnerability Database (NVD) lists a high
> vulnerability for VIM 8.0.
> https://nvd.nist.gov/vuln/detail/CVE-2017-11109 Vim 8.0 allows
> attackers to cause a denial of service or possibly have unspecified
> other impact via a crafted source (aka -S) file. NOTE: there might
> be a limited number of scenarios in which this has security
> relevance.
>
>
> Unfortunately, the info provided in the CVE does not specify if it
> is only the initial release 8.0 or the subsequent patched versions
> that are vulnerable.  I have searched the VIM website readme and
> other documents but can’t find the answer, so I am turning to you.
> I appreciate your assistance.  Is the current version still
> vulnerable to the issue noted above or has this been remediated in
> the patch updates?
>
> Best regards,
> Susanne Ramsey
>
>
> --
> --
> You received this message from the "vim_use" maillist.
> Do not top-post! Type your reply below the text you are replying to.
> For more information, visit http://www.vim.org/maillist.php
>
> ---
> You received this message because you are subscribed to the Google
> Groups "vim_use" group. To unsubscribe from this group and stop
> receiving emails from it, send an email to
> [hidden email]. For more options, visit
> https://groups.google.com/d/optout.


--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: VIM and NVD Vulnerability

Christian Brabandt
In reply to this post by Ramsey, Susanne B.

On Do, 28 Sep 2017, Ramsey, Susanne B. wrote:

> Greetings;
>
> The National Vulnerability Database (NVD) lists a high vulnerability for VIM 8.0.  https://nvd.nist.gov/vuln/detail/CVE-2017-11109
> Vim 8.0 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted source (aka -S) file.
>      NOTE: there might be a limited number of scenarios in which this has security relevance.
>
>
> Unfortunately, the info provided in the CVE does not specify if it is only the initial release 8.0 or the subsequent patched versions that are vulnerable.  I have searched the VIM website readme and other documents but can’t find the answer, so I am turning to you.  I appreciate your assistance.  Is the current version still vulnerable to the issue noted above or has this been remediated in the patch updates?

If I read the debian changelog correctly, this has been fixed:
,----
| * Backport upstream patches to fix CVE-2017-11109  (Closes: #867720)
|     + 8.0.0703: Illegal memory access with empty :doau command
|     + 8.0.0706: Crash when cancelling the cmdline window in Ex mode
|     + 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands
`----

Christian
--
Alles Wichtige lernt man von den Frauen, alles Unwichtige vergißt
man bei ihnen.
                -- Hans Söhnker

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: VIM and NVD Vulnerability

Bram Moolenaar
In reply to this post by Ramsey, Susanne B.

Susanne Ramsey wrote:

> The National Vulnerability Database (NVD) lists a high vulnerability for VIM 8.0.  https://nvd.nist.gov/vuln/detail/CVE-2017-11109
> Vim 8.0 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted source (aka -S) file.
>      NOTE: there might be a limited number of scenarios in which this has security relevance.
>
>
> Unfortunately, the info provided in the CVE does not specify if it is
> only the initial release 8.0 or the subsequent patched versions that
> are vulnerable.  I have searched the VIM website readme and other
> documents but can’t find the answer, so I am turning to you.  I
> appreciate your assistance.  Is the current version still vulnerable
> to the issue noted above or has this been remediated in the patch
> updates?

Patch 8.0.0693 fixed the first issue.

Note that it requires the user to install and source a script from
someone else.  This is not really a security issue.  I haven't wasted
time arguing about the reported risks.

--
Your fault: core dumped

 /// Bram Moolenaar -- [hidden email] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.