|
Message-ID: <Pine.GSO.4.51.0807312041560.13418@faron.mitre.org> Date: Thu, 31 Jul 2008 20:44:12 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: Jan Minar <rdancer@...ncer.org>, Tomas Hoger <thoger@...hat.com> cc: oss-security@...ts.openwall.com, smithj@...ethemallocs.com, coley@...us.mitre.org, Bram Moolenaar <Bram@...lenaar.net>, "Charles E Campbell, Jr" <drchip@...pbellfamily.biz> Subject: Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 All, My head and shoulders genuinely hurt from trying to figure this out. Sorry for the delay. I don't think explaining how CVEs work will help in this extremely complex situation. I have a number of questions, some of which are based on the newest advisories that rdancer released... - Steve ************************************************************************ ************************************************************************ This section is about issues that don't seem to have any major confusion. Please confirm. ************************************************************************ ************************************************************************ ------------------------------------------------------------ filetype.vim not fixed - inconsistent regular expression usage in substitute() http://www.rdancer.org/vulnerablevim-filetype.vim.updated.html - earlier filetype.vim issue was in CVE-2008-2712.1 - NEEDS NEW CVE ------------------------------------------------------------ heap overflow, demonstrated by netrw.v3 - NEW CVE assigned: CVE-2008-3432 - vim 6.2 and 6.3 (mch_expand_wildcards) - http://www.openwall.com/lists/oss-security/2008/07/15/4 ------------------------------------------------------------ configure.in temp file issue - ALREADY assigned CVE: CVE-2008-3294 (see web site) - vim 5.0 through 7.1, maybe earlier, fixed in 7.2b.014 - http://www.rdancer.org/vulnerablevim-configure.in.html ------------------------------------------------------------ netrw.v5 test case - NEEDS NEW CVE - http://www.rdancer.org/vulnerablevim-netrw.v5.html - affected version: Netrw version 127, Vim 7.2b - affected file: netrw.vim ************************************************************************ ************************************************************************ This section is for remaining issues that need clarification. ************************************************************************ ************************************************************************ ------------------------------------------------------------ shellescape() implementation issue (tar): - Report TAR-1 rdancer says "shellescape() does not escape all special items" specifically the "!" character - http://www.rdancer.org/vulnerablevim-shellescape.html - 7.2a.013 and other versions before 7.2b.005 - mentions tar.vim (tarplugin) - test case: tarplugin.v2 - Report TAR-2 Tomas Hoger says affects 7.0 and 7.1: http://www.openwall.com/lists/oss-security/2008/07/15/2 - Report TAR-3 assignment of CVE-2008-3074 to "tarplugin" http://www.openwall.com/lists/oss-security/2008/07/10/7 - already used by rPath in advisory - Report TAR-4 rdancer tar.vim issue http://www.rdancer.org/vulnerablevim.html - Report TAR-5 rdancer says tar.vim test was omitted from Makefile http://www.openwall.com/lists/oss-security/2008/07/13/1 1) Are TAR-1, TAR-2, TAR-3, and TAR-4 all talking about the same issue? If not - which ones are the same? 2) Since tar.vim doesn't affect 6.x, it should stay SPLIT from CVE-2008-2712. ------------------------------------------------------------ zip.vim - Report ZIP-1 rdancer says "zip.vim" as well as "zipPlugin.vim" - http://www.rdancer.org/vulnerablevim.html - Vim 7.1.298 and 6.4 - *part* of the advisory used CVE-2008-2712, but CVE-2008-2712 didn't include it - Report ZIP-2 Tomas Hoger suggests "still unfixed" http://www.openwall.com/lists/oss-security/2008/07/10/7 - CVE-2008-3075 assigned; used by rPath - since CVE-2008-2712 issues were fixed and zip.vim remains unfixed, a SPLIT from CVE-2008-2712 is reasonable - Report ZIP-3 Tomas Hoger says "only 7.0 and 7.1" affected http://www.openwall.com/lists/oss-security/2008/07/15/2 - Report ZIP-4 rdancer says zip "has not been fixed as of Vim 7.2a.19/zip.vim v19" http://www.openwall.com/lists/oss-security/2008/07/13/1 - Report ZIP-5 CVE-2008-2712 bullet (2) mentions zipplugin based on same advisory as ZIP-1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712 1) Are ZIP-1, ZIP-2, ZIP-3, and ZIP-4 all talking about the same issue? 2) What differences, if any, are there in zip.vim and zipplugin.vim? 3) Given the varying results for TAR-1 through TAR-4, should zip.vim be split from the tar issues? What about zipplugin.vim? 4) It might be reasonable to remove item (2) from CVE-2008-2712. ------------------------------------------------------------ Looking at netrw.v2: - Report NETRW2-a rdancer says "mx" and "mz" in: http://www.rdancer.org/vulnerablevim-netrw.html NO version information provided in this advisory, but title indicates "Netrw version 125, Vim 7.2a.10" - Report NETRW2-b Tomas Hoger mentions "mz and mc" in: http://www.openwall.com/lists/oss-security/2008/07/15/4 but: mc is probably referring to netrw.v3, so not relevant here mz "should only affect 7.2 alpha" - Report NETRW2-c - rdancer says "mf" (section 3.1) and "mz" (section 3.2) in: http://www.rdancer.org/vulnerablevim-netrw.v2.html but then, rdancer also gives an example for "mx" (3.2.1) versions: 7.2a.10, Netrw version 125. 1) What role, if any, does "mf" play (NETRW2-c)? It's listed as a "prerequisite" then nothing else is said. Does it have a vulnerability? Or does the victim need to mark a file before decompressing it? 2) "mx" doesn't use quoting in section 3.2.1 (NETRW2-a), so does it have a vulnerability too? 3) Which combination of mx, mz, and mf is really being covered by the netrw.v2 test case? ------------------------------------------------------------ Looking at netrw.v3: - Report NETRW3-a rdancer says "mc" shellescape issues in: http://www.rdancer.org/vulnerablevim-netrw.html - missing use of shellescape for "args" variable in mc command - Report NETRW3-b Tomas Hoger mentions "mz and mc" in: http://www.openwall.com/lists/oss-security/2008/07/15/4 but: mz is probably referring to netrw.v2, so not relevant here - mc "should only affect 7.2 alpha" - Report NETRW3-c Tomas Hoger says heap overflow (not mentioned in rdancer) http://www.openwall.com/lists/oss-security/2008/07/15/4 - Report NETRW3-d rdancer says netrw.v3 is "vulnerable" in an advisory about netrw.v5: http://www.rdancer.org/vulnerablevim-netrw.v5.html version: Vim 7.2b 1) NETRW3-c is clearly different, so CVE-2008-3432 is assigned. 2) Are NETRW3-a and NETRW3-b talking about the same issue? 3) What is the relationship between NETRW3-b and NETRW3-d? The version numbers conflict. 4) Because of item 3, I'm tempted to split netrw.v3. 5) In NETRW3-a, rdancer says there are "many places" but only emphasizes the "args" part a) why does the patch only address one issue? b) the other quoted examples seem to use shellescape(). Are these vulnerable too? ------------------------------------------------------------ Looking at netrw.v4: - Report NETRW4-a shellescape issues in the "D" command for deleting files http://www.rdancer.org/vulnerablevim-netrw.html NO version information provided in this advisory, but title indicates "Netrw version 125, Vim 7.2a.10" - Report NETRW4-b Tomas Hoger says netrw.v4 affects 7.0 and 7.1 http://www.openwall.com/lists/oss-security/2008/07/15/4 - DOES NOT affect explorer.vim in 6.x 1) Why does NETRW4-a mention "function s:NetrwLocalRmFile()" twice? 2) Why does NETRW4-a point to lots of examples where "shellescape" is used? 3) Is appears that NETRW4-b remains unfixed according to NETRW4-a, is that right? ------------------------------------------------------------ Looking at netrw explorer.vim plugin: - Report EXP-1 "netrw" test case triggers "similar problem" in explorer.vim: http://www.openwall.com/lists/oss-security/2008/07/15/2 - in vim 6.x - Report EXP-2 "netrw.v4" test case does not affect explorer.vim 1) Does this need a separate ID? If not, which does it belong with?
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.