On 22/08/08 13:37, Jan Minář wrote:
> Hi!
>
> Thanks again to Ben for reporting this.
>
> It's not just the K command. The<C-]> and g] commands are vulnerable
> too. Patch attached.
>
> Attack vectors:
>
> (1) K -- arbitrary shell command execution via additional shell
> commands (insufficient sanitization of a shell command string)
> (the original vulnerability)
>
> (2) K -- arbitrary shell command execution via man(1) command line
> switches (such as ``--pager'' in GNU man -- cf. manpage)
>
> (3)<C-]>, g] -- arbitrary Vim Script command execution via additional
> Ex statements (insufficient escaping of an argument)
>
> (4) Unknown vulnerabilities stemming from using unknown shell, and,
> by extension, an unknown man command
>
> This patch solves (1) and (3), and partially solves (2). Unfortunately,
> the fix for (2) is a hardcoded double-dash (--) inserted between the
> program name and the command line arguments. This will break for man
> commands that do not understand double-dash. A more clever solution is
> needed.
>
> The discussion of (the feasibility of) a fix for (4) has been going on
> for some time. All proposed solutions seem to have irreconcilable
> downsides.
>
> Cheers,
> Jan.
Maybe you should set a config-time option (or create one) to avoid any
interaction with the shell?
Even better: If you don't want ever to become the victim of any exploit,
turn your computer off at the wall switch and leave it off.
:-b
Regards,
Tony.
--
Bore, n.:
A person who talks when you wish him to listen.
-- Ambrose Bierce, "The Devil's Dictionary"
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
