Jan Minar wrote:
> 1. Summary > > Product : Vim -- Vi IMproved > Versions : 5.0--current, possibly older; 4.6 and 3.0 not vulnerable > Impact : Arbitrary code execution > Wherefrom: Local > Original : http://www.rdancer.org/vulnerablevim-configure.in.html > http://www.rdancer.org/vulnerablevim-configure.in.patch > > Insecure temporary file creation during the build process is vulnerable > to symbolic link attacks, and arbitrary code execution. Patch provided. > > > 2. Background > > ``Vim is an almost compatible version of the UNIX editor Vi. Many new > features have been added: multi-level undo, syntax highlighting, command > line history, on-line help, spell checking, filename completion, block > operations, etc.'' > -- VIM ``README.txt'' > > > 3. Vulnerability > > During the build process, a temporary file with a predictable name is > created in the ``/tmp'' directory. This code is run when Vim is being > build with Python support: > > src/configure.in: > > 677 dnl -- we need to examine Python's config/Makefile too > 678 dnl see what the interpreter is built from > 679 AC_CACHE_VAL(vi_cv_path_python_plibs, > 680 [ > 681 tmp_mkf="/tmp/Makefile-conf$$" > (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof' >${tmp_mkf} > 683 __: > 684 @echo "python_MODLIBS='$(MODLIBS)'" > 685 @echo "python_LIBS='$(LIBS)'" > 686 @echo "python_SYSLIBS='$(SYSLIBS)'" > 687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'" > 688 eof > 689 dnl -- delete the lines from make about > Entering/Leaving directory > (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f > ${tmp_mkf} __ | sed '/ directory /d'`" > 691 rm -f ${tmp_mkf} > > The attacker has to create the temporary file > ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In > the time between (1) and (2), arbitrary commands can be written to the > file. They will be executed at (2). > > > 3. Test Case > > No test case. > > > 4. Patch > > Patch fixing this vulnerability can be found at the following URL: > > http://www.rdancer.org/vulnerablevim-configure.in.patch > > Please note: The patch fixes ``src/configure.in'', an input file used by > the ``autoconf'' command. ``autoconf'' uses this input file to create > ``src/auto/configure''. It is necessary to remove the latter, if > present, to force its recreation. Otherwise, further build runs will > still use it, and the vulnerability will still be present. Use "make autoconf" to run autoconf. Unfortunately the patch breaks configure for me: 86: checking Python's configuration directory... /usr/local/lib/python2.5/config 87: usage: mktemp [-d] [-q] [-t prefix] [-u] template ... 88: mktemp [-d] [-q] [-u] -t prefix 89: Error: Can't create temporary file. Aborting. The BSD mktemp command requires a template or a "-t prefix" argument. I don't know how portable it is, but this works for me: tmp_mkf="`mktemp /tmp/VcPmkXXXXXXXXXX`" -- Edison's greatest achievement came in 1879, when he invented the electric company. Edison's design was a brilliant adaptation of the simple electrical circuit: the electric company sends electricity through a wire to a customer, then immediately gets the electricity back through another wire /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
