__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN VIM Modeline Vulnerability [Red Hat Security Advisory RHSA-2005:010-05] January 5, 2005 18:00 GMT Number P-090 [REVISED 19 Jan 2005] [REVISED 22 Feb 2005] ______________________________________________________________________________ PROBLEM: A modeline vulnerability was discovered in VIM, (Vi IMproved), an updated and improved version of the vi screen-based editor. PLATFORM: Red Hat Desktop (v. 3 and v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v.3, and v.4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Service Pack 3 for SGI Altix family of systems DAMAGE: An attacker may create a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Note that this issue only affects users who have modelines and filetype plugins enabled, and they are not enabled by default. SOLUTION: Apply the available updated packages. ______________________________________________________________________________ VULNERABILITY The risk is LOW. An attacker may execute arbitrary code with ASSESSMENT: privileges of the victim. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-090.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-010.html ADDITIONAL LINK: SGI Security Update #22, Advisory Number 20050102-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20050102-01-U.asc Red Hat Security Advisory RHSA-2005:306 https://rhn.redhat.com/errata/RHSA-2005-036.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-1138 ______________________________________________________________________________ REVISION HISTORY: 01/19/2005 - added link to SGI Security Update #22, advisory number 20050102-01-U that provides updates for SGI ProPack 3 Service Pack 3 for SGI Altix family of systems. 02/22/2005 - added link to Red Hat Security Advisory RHSA-2005:306 that provides updated packages for Red Hat version 4. [***** Start Red Hat Security Advisory RHSA-2005:010-05 *****] Updated VIM packages fix security vulnerability Advisory: RHSA-2005:010-05 Last updated on: 2005-01-05 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-1138 back Security Advisory Details: Updated vim packages that fix a modeline vulnerability are now available. VIM (Vi IMproved) is an updated and improved version of the vi screen-based editor. Ciaran McCreesh discovered a modeline vulnerability in VIM. It is possible that a malicious user could create a file containing a specially crafted modeline which could cause arbitrary command execution when viewed by a victim. Please note that this issue only affects users who have modelines and filetype plugins enabled, which is not the default. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-1138 to this issue. All users of VIM are advised to upgrade to these erratum packages, which contain a backported patch for this issue. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: vim-6.3.046-0.30E.1.src.rpm 6ec356d24ae87a5a028a17a6ca73ae76 IA-32: vim-X11-6.3.046-0.30E.1.i386.rpm bc4c3a9f814b0774d1b149a692593b2e vim-common-6.3.046-0.30E.1.i386.rpm 24261f2028b06d5da8ca35a87ccc8610 vim-enhanced-6.3.046-0.30E.1.i386.rpm a73de031e006487d7ff786d303e9415c vim-minimal-6.3.046-0.30E.1.i386.rpm 4aee80bee3f5e929901423d81fdec9c9 x86_64: vim-X11-6.3.046-0.30E.1.x86_64.rpm f524aa992ca4375baac7d336e0872beb vim-common-6.3.046-0.30E.1.x86_64.rpm 4cd585c858e2ef474333ac15313a2015 vim-enhanced-6.3.046-0.30E.1.x86_64.rpm 3a4f3d6f6b1c782725fdd586d806bc92 vim-minimal-6.3.046-0.30E.1.x86_64.rpm 4f6583be9cc3744ac10a24afc3a50b67 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: vim-6.0-7.19.src.rpm ec80e6cff8ce3f0324933a86105ba08a IA-32: vim-X11-6.0-7.19.i386.rpm d4ff95dc139d9b246a3b4bb22e56f0a2 vim-common-6.0-7.19.i386.rpm d0a4daf9963f0b30d23f8b55b660e7bd vim-enhanced-6.0-7.19.i386.rpm 5e0f345e8c4149a6e526be1ebcbcaf08 vim-minimal-6.0-7.19.i386.rpm 49ba3bac9787288f6ed3a6cb76ea3257 IA-64: vim-X11-6.0-7.19.ia64.rpm f8cf3e2990cf9f01f2e8b92413562f2f vim-common-6.0-7.19.ia64.rpm c0fcd7546afb8ffe8e059993b357291c vim-enhanced-6.0-7.19.ia64.rpm aaccc710338fc217fcb61f17a859cc75 vim-minimal-6.0-7.19.ia64.rpm 86625051f0b0530dc495662a8462f0b8 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: vim-6.3.046-0.30E.1.src.rpm 6ec356d24ae87a5a028a17a6ca73ae76 IA-32: vim-X11-6.3.046-0.30E.1.i386.rpm bc4c3a9f814b0774d1b149a692593b2e vim-common-6.3.046-0.30E.1.i386.rpm 24261f2028b06d5da8ca35a87ccc8610 vim-enhanced-6.3.046-0.30E.1.i386.rpm a73de031e006487d7ff786d303e9415c vim-minimal-6.3.046-0.30E.1.i386.rpm 4aee80bee3f5e929901423d81fdec9c9 IA-64: vim-X11-6.3.046-0.30E.1.ia64.rpm c889113a94e55add8fc9ff4a25b7ebf7 vim-common-6.3.046-0.30E.1.ia64.rpm aa9badc6e92b5d77b970a1155d9df8db vim-enhanced-6.3.046-0.30E.1.ia64.rpm 5efa3cb764808a07066756537283f7bf vim-minimal-6.3.046-0.30E.1.ia64.rpm cb01ce6b3d6b8229ac834b71604c1a7c PPC: vim-X11-6.3.046-0.30E.1.ppc.rpm ab2a437d98890191fbf02e125ac4e9d8 vim-common-6.3.046-0.30E.1.ppc.rpm 4b55871f27ef4e3b4615efe69ca34c80 vim-enhanced-6.3.046-0.30E.1.ppc.rpm 620989f956755a9599f15c31e779ab20 vim-minimal-6.3.046-0.30E.1.ppc.rpm 5be5a1eee3b838eede6703a28dde8c5b s390: vim-X11-6.3.046-0.30E.1.s390.rpm 6c35fa52e2fd0026824e2353b7f5d3f8 vim-common-6.3.046-0.30E.1.s390.rpm b231e358ccbf79bce43ba6fe2c31a696 vim-enhanced-6.3.046-0.30E.1.s390.rpm cb01c4182855dc24dcbe503deed6333b vim-minimal-6.3.046-0.30E.1.s390.rpm 4fd73da1b8d06876e090c624e95bc811 s390x: vim-X11-6.3.046-0.30E.1.s390x.rpm c87e1eaaa9a04c503ba85c39cc9a6d9b vim-common-6.3.046-0.30E.1.s390x.rpm 50f4f4f629051dbe46257207ba6e4b39 vim-enhanced-6.3.046-0.30E.1.s390x.rpm 52a43a425e87218212e09e129bb8d37a vim-minimal-6.3.046-0.30E.1.s390x.rpm 62108052dd87b0bba769f6a000be0f87 x86_64: vim-X11-6.3.046-0.30E.1.x86_64.rpm f524aa992ca4375baac7d336e0872beb vim-common-6.3.046-0.30E.1.x86_64.rpm 4cd585c858e2ef474333ac15313a2015 vim-enhanced-6.3.046-0.30E.1.x86_64.rpm 3a4f3d6f6b1c782725fdd586d806bc92 vim-minimal-6.3.046-0.30E.1.x86_64.rpm 4f6583be9cc3744ac10a24afc3a50b67 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: vim-6.0-7.19.src.rpm ec80e6cff8ce3f0324933a86105ba08a IA-32: vim-X11-6.0-7.19.i386.rpm d4ff95dc139d9b246a3b4bb22e56f0a2 vim-common-6.0-7.19.i386.rpm d0a4daf9963f0b30d23f8b55b660e7bd vim-enhanced-6.0-7.19.i386.rpm 5e0f345e8c4149a6e526be1ebcbcaf08 vim-minimal-6.0-7.19.i386.rpm 49ba3bac9787288f6ed3a6cb76ea3257 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: vim-6.3.046-0.30E.1.src.rpm 6ec356d24ae87a5a028a17a6ca73ae76 IA-32: vim-X11-6.3.046-0.30E.1.i386.rpm bc4c3a9f814b0774d1b149a692593b2e vim-common-6.3.046-0.30E.1.i386.rpm 24261f2028b06d5da8ca35a87ccc8610 vim-enhanced-6.3.046-0.30E.1.i386.rpm a73de031e006487d7ff786d303e9415c vim-minimal-6.3.046-0.30E.1.i386.rpm 4aee80bee3f5e929901423d81fdec9c9 IA-64: vim-X11-6.3.046-0.30E.1.ia64.rpm c889113a94e55add8fc9ff4a25b7ebf7 vim-common-6.3.046-0.30E.1.ia64.rpm aa9badc6e92b5d77b970a1155d9df8db vim-enhanced-6.3.046-0.30E.1.ia64.rpm 5efa3cb764808a07066756537283f7bf vim-minimal-6.3.046-0.30E.1.ia64.rpm cb01ce6b3d6b8229ac834b71604c1a7c x86_64: vim-X11-6.3.046-0.30E.1.x86_64.rpm f524aa992ca4375baac7d336e0872beb vim-common-6.3.046-0.30E.1.x86_64.rpm 4cd585c858e2ef474333ac15313a2015 vim-enhanced-6.3.046-0.30E.1.x86_64.rpm 3a4f3d6f6b1c782725fdd586d806bc92 vim-minimal-6.3.046-0.30E.1.x86_64.rpm 4f6583be9cc3744ac10a24afc3a50b67 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: vim-6.0-7.19.src.rpm ec80e6cff8ce3f0324933a86105ba08a IA-32: vim-X11-6.0-7.19.i386.rpm d4ff95dc139d9b246a3b4bb22e56f0a2 vim-common-6.0-7.19.i386.rpm d0a4daf9963f0b30d23f8b55b660e7bd vim-enhanced-6.0-7.19.i386.rpm 5e0f345e8c4149a6e526be1ebcbcaf08 vim-minimal-6.0-7.19.i386.rpm 49ba3bac9787288f6ed3a6cb76ea3257 Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: vim-6.3.046-0.30E.1.src.rpm 6ec356d24ae87a5a028a17a6ca73ae76 IA-32: vim-X11-6.3.046-0.30E.1.i386.rpm bc4c3a9f814b0774d1b149a692593b2e vim-common-6.3.046-0.30E.1.i386.rpm 24261f2028b06d5da8ca35a87ccc8610 vim-enhanced-6.3.046-0.30E.1.i386.rpm a73de031e006487d7ff786d303e9415c vim-minimal-6.3.046-0.30E.1.i386.rpm 4aee80bee3f5e929901423d81fdec9c9 IA-64: vim-X11-6.3.046-0.30E.1.ia64.rpm c889113a94e55add8fc9ff4a25b7ebf7 vim-common-6.3.046-0.30E.1.ia64.rpm aa9badc6e92b5d77b970a1155d9df8db vim-enhanced-6.3.046-0.30E.1.ia64.rpm 5efa3cb764808a07066756537283f7bf vim-minimal-6.3.046-0.30E.1.ia64.rpm cb01ce6b3d6b8229ac834b71604c1a7c x86_64: vim-X11-6.3.046-0.30E.1.x86_64.rpm f524aa992ca4375baac7d336e0872beb vim-common-6.3.046-0.30E.1.x86_64.rpm 4cd585c858e2ef474333ac15313a2015 vim-enhanced-6.3.046-0.30E.1.x86_64.rpm 3a4f3d6f6b1c782725fdd586d806bc92 vim-minimal-6.3.046-0.30E.1.x86_64.rpm 4f6583be9cc3744ac10a24afc3a50b67 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: vim-6.0-7.19.src.rpm ec80e6cff8ce3f0324933a86105ba08a IA-64: vim-X11-6.0-7.19.ia64.rpm f8cf3e2990cf9f01f2e8b92413562f2f vim-common-6.0-7.19.ia64.rpm c0fcd7546afb8ffe8e059993b357291c vim-enhanced-6.0-7.19.ia64.rpm aaccc710338fc217fcb61f17a859cc75 vim-minimal-6.0-7.19.ia64.rpm 86625051f0b0530dc495662a8462f0b8 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 142444 - CAN-2004-1138 vim arbitrary command execution vulnerability References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1138 -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End Red Hat Security Advisory RHSA-2005:010-05 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-080: "lsvpd" Untrusted Path Vulnerability P-081: Linux Kernel Vulnerabilities P-082: 'tiff' Insufficient Input Validation P-083: Netscape Directory Server on HP-UX LDAP Vulnerability P-084: TikiWiki Vulnerability P-085: HP-UX SAM Local Privilege Increase P-086: Perl Insecure Temporary Files/Directories P-087: Buffer Overflow in xpdf P-088: Buffer Overflow in PDF Processing part of CUPS P-089: Buffer Overflow in 'nasm'