On Sat, Aug 23, 2008 at 8:59 AM, Bram Moolenaar <[EMAIL PROTECTED]> wrote:
>
>
> John Becket wrote:
>
>> Tony Mechelynck wrote:
>> > Maybe you should set a config-time option (or create one) to
>> > avoid any interaction with the shell?
>> >
>> > Even better: If you don't want ever to become the victim of
>> > any exploit, turn your computer off at the wall switch and
>> > leave it off.
>> >
>> > :-b
>>
>> I haven't studied this example, but as I understand it, the suggestion is
>> that I
>> could send you a file with a message like "What's the deal with this weird
>> message
>> that Vim gives? Open file xxx and search for yyy then press K."
>>
>> Jan is saying (I think) that following those instructions could execute
>> malware.
>>
>> Sure, it will never happen to me or you, but if we were discussing Microsoft
>> Word,
>> most people would have no hesitation in declaring that such a vulnerability
>> (press a
>> key in a document to get owned) is just NOT acceptable.
>>
>> We aren't talking about mapping K to execute "system('dodgyfile')". K is
>> performing
>> its default function, but that function could exploit you if executed on
>> certain
>> text, with a certain file present.
>>
>> If my understanding is correct, I don't think it's reasonable to write this
>> off with
>> the "switch power off" joke (if I've got this wrong, please correct me).
>
> It's more like the "execute this attachment to see a movie of xyz nude". Or
> the signature virus:
Please! It's an editor. What kind of vulnerabilities would you
expect? You have to open a file, have a reasonable feature set
enabled, and do something. The real question is, why does the impact
always have to be arbitrary Ex/shell commands execution? And why are
there so many?
But it's a feature really: We all know it can take a long time for a
package maintainer to include a patch. Or perhaps, said package
maintainer thinks our patch sucks. Pperhaps he's even right! Not to
worry. With all these vulnerabilities, as long as they're is using
Vim, we can have all our patches included _as soon as they view them_.
We can even have the packages built and uploaded at the same time!
Cheers,
Jan.
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
