Debians sikkerhedsbulletin

DSA-1733-1 vim -- flere sårbarheder

Rapporteret den:
3. mar 2009
Berørte pakker:
vim
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Debians fejlsporingssystem: Fejl 486502, Fejl 506919.
I Mitres CVE-ordbog: CVE-2008-2712, CVE-2008-3074, CVE-2008-3075, CVE-2008-3076, CVE-2008-4101.
Yderligere oplysninger:

Flere sårbarheder er opdaget i vim, en udvidet vi-editor. Projektet Common Vulnerabilities and Exposures har registreret følgende problemer:

  • CVE-2008-2712

    Jan Minar opdagede at vim ikke på korrekt vis fornuftighedskontrollerede inddata, før kald af execute- eller systemfunktioner fra vim-skripter. Det kunne føre til udførelse af vilkårlig kode.

  • CVE-2008-3074

    Jan Minar opdagede at tar-plugin'en i vim ikke på korrekt vis fornuftighedskontrollerede filnavnene i tar-arkivet eller navnet på selve arkivet, hvilket udsatte den for udførelse af vilkårlig kode.

  • CVE-2008-3075

    Jan Minar opdagede at zip-plugin'en i vim ikke på korrekt vis fornuftighedskontrollerede filnavnene i tar-arkivet eller navnet på selve arkivet, hvilket udsatte den for udførelse af vilkårlig kode.

  • CVE-2008-3076

    Jan Minar opdagede at netrw-plugin'en i vim ikke på korrekt vis fornuftighedskontrollerede fil- eller mappenavne, den modtager. Det kunne føre til udførelse af vilkårlig kode.

  • CVE-2008-4101

    Ben Schmidt opdagede at vim ikke på korrekt vis indkapslede escape-tegn, når der blev udført keyword- eller tag-opslag. Det kunne føre til udførelse af vilkårlig kode.

I den gamle stabile distribution (etch), er disse problemer rettet i version 1:7.0-122+1etch5.

I den stabile distribution (lenny), er disse problemer rettet i version 1:7.1.314-3+lenny1, der allerede er med i den udgivne lenny.

I distributionen testing (squeeze), er disse problemer rettet i version 1:7.1.314-3+lenny1.

I den ustabile distribution (sid), er disse problemer rettet i version 2:7.2.010-1.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/v/vim/vim_7.0.orig.tar.gz
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5.diff.gz
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5.dsc
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/v/vim/vim-gui-common_7.0-122+1etch5_all.deb
http://security.debian.org/pool/updates/main/v/vim/vim-runtime_7.0-122+1etch5_all.deb
http://security.debian.org/pool/updates/main/v/vim/vim-doc_7.0-122+1etch5_all.deb
Alpha:
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_alpha.deb
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_amd64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_arm.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_i386.deb
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_ia64.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_mips.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_s390.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/v/vim/vim-tcl_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-tiny_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-lesstif_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-python_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-ruby_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-perl_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gtk_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-common_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-gnome_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim_7.0-122+1etch5_sparc.deb
http://security.debian.org/pool/updates/main/v/vim/vim-full_7.0-122+1etch5_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.