Bug#506919: marked as done (vim: multiple vulnerabilities (CVE-2008-3074, CVE-2008-3075, and CVE-2008-3076))

Debian Bug Tracking System Tue, 25 Nov 2008 15:34:04 -0800

Your message dated Tue, 25 Nov 2008 18:27:50 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#506919: vim: multiple vulnerabilities (CVE-2008-3074, 
CVE-2008-3075, and CVE-2008-3076)
has caused the Debian Bug report #506919,
regarding vim: multiple vulnerabilities (CVE-2008-3074, CVE-2008-3075, and 
CVE-2008-3076)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
506919: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506919
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: vim
Version: 1:7.0.109
Severity: grave
Tags: security
Justification: user security hole

redhat has just released an update that fixes multiple security flaws in
vim [1].  these issues are currently reserved in the CVE tracker, but
redhat describes the probems as:

  Multiple security flaws were found in netrw.vim, the Vim plug-in providing
  file reading and writing over the network. If a user opened a specially
  crafted file or directory with the netrw plug-in, it could result in
  arbitrary code execution as the user running Vim. (CVE-2008-3076)

  A security flaw was found in zip.vim, the Vim plug-in that handles ZIP
  archive browsing. If a user opened a ZIP archive using the zip.vim plug-in,
  it could result in arbitrary code execution as the user running Vim.
  (CVE-2008-3075)

  A security flaw was found in tar.vim, the Vim plug-in which handles TAR
  archive browsing. If a user opened a TAR archive using the tar.vim plug-in,
  it could result in arbitrary code execution as the user runnin Vim.
  (CVE-2008-3074)

versions affected are unclear from the redhat notice, but the problem at 
least applies to vim version 7.0.109, which they have fixed in rhel5.

thanks for working to keep debian secure.

[1] https://rhn.redhat.com/errata/RHSA-2008-0580.html

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages vim depends on:
ii  libacl1               2.2.47-2           Access control list shared library
ii  libc6                 2.7-16             GNU C Library: Shared libraries
ii  libgpm2               1.20.4-3           General Purpose Mouse - shared lib
ii  libncurses5           5.6+20080830-1     shared libraries for terminal hand
ii  libselinux1           2.0.65-5           SELinux shared libraries
ii  vim-common            1:7.1.314-3+lenny2 Vi IMproved - Common files
ii  vim-runtime           1:7.1.314-3+lenny2 Vi IMproved - Runtime files

vim recommends no packages.

Versions of packages vim suggests:
pn  ctags                         <none>     (no description available)
pn  vim-doc                       <none>     (no description available)
pn  vim-scripts                   <none>     (no description available)

-- no debconf information

--- End Message ---

--- Begin Message ---

tag 506919 fixed 2:7.2.010-1
tag 506919 fixed 1:7.1.314-3+lenny1
thanks

On Tue, Nov 25, 2008 at 05:31:36PM -0500, Michael S. Gilbert wrote:
> redhat has just released an update that fixes multiple security flaws in
> vim [1].  these issues are currently reserved in the CVE tracker, but
> redhat describes the probems as:
> 
>   Multiple security flaws were found in netrw.vim, the Vim plug-in providing
>   file reading and writing over the network. If a user opened a specially
>   crafted file or directory with the netrw plug-in, it could result in
>   arbitrary code execution as the user running Vim. (CVE-2008-3076)
> 
>   A security flaw was found in zip.vim, the Vim plug-in that handles ZIP
>   archive browsing. If a user opened a ZIP archive using the zip.vim plug-in,
>   it could result in arbitrary code execution as the user running Vim.
>   (CVE-2008-3075)
> 
>   A security flaw was found in tar.vim, the Vim plug-in which handles TAR
>   archive browsing. If a user opened a TAR archive using the tar.vim plug-in,
>   it could result in arbitrary code execution as the user runnin Vim.
>   (CVE-2008-3074)
> 
> versions affected are unclear from the redhat notice, but the problem at 
> least applies to vim version 7.0.109, which they have fixed in rhel5.

These are basically split out versions of previously released
vulnerabilities.  They're fixed in the above mentioned versions.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>

signature.asc
Description: Digital signature

--- End Message ---

Bug#506919: marked as done (vim: multiple vulnerabilities (CVE-2008-3074, CVE-2008-3075, and CVE-2008-3076))

Reply via email to