Jan Minar wrote:
> Thanks again to Ben for reporting this.
>
> It's not just the K command. The <C-]> and g] commands are vulnerable
> too. Patch attached.
>
> Attack vectors:
>
> (1) K -- arbitrary shell command execution via additional shell
> commands (insufficient sanitization of a shell command string)
> (the original vulnerability)
>
> (2) K -- arbitrary shell command execution via man(1) command line
> switches (such as ``--pager'' in GNU man -- cf. manpage)
>
> (3) <C-]>, g] -- arbitrary Vim Script command execution via additional
> Ex statements (insufficient escaping of an argument)
>
> (4) Unknown vulnerabilities stemming from using unknown shell, and,
> by extension, an unknown man command
>
> This patch solves (1) and (3), and partially solves (2). Unfortunately,
> the fix for (2) is a hardcoded double-dash (--) inserted between the
> program name and the command line arguments. This will break for man
> commands that do not understand double-dash. A more clever solution is
> needed.
>
> The discussion of (the feasibility of) a fix for (4) has been going on
> for some time. All proposed solutions seem to have irreconcilable
> downsides.
Thanks. I'll have a good look at it later. One thing I noticed: you
don't need to give an error message for running out of memory at this
level, it's already done at a lower level in alloc(). There it also
avoids that the message fills up your screen.
--
Sometimes you can protect millions of dollars in your budget simply by buying
a bag of cookies, dropping it on the budget anylyst's desk, and saying
something deeply personal such as "How was your weekend, big guy?"
(Scott Adams - The Dilbert principle)
/// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
