|
Message-ID: <20080805164229.7291780b@redhat.com> Date: Tue, 5 Aug 2008 16:42:29 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org, Jan Minar <rdancer@...ncer.org>, smithj@...ethemallocs.com, Bram Moolenaar <Bram@...lenaar.net>, "Charles E Campbell, Jr" <drchip@...pbellfamily.biz> Subject: Re: Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10 Hi Steven! I'll try to answer some of the questions where I can... On Thu, 31 Jul 2008 20:44:12 -0400 (EDT) "Steven M. Christey" <coley@...us.mitre.org> wrote: > heap overflow, demonstrated by netrw.v3 > > - NEW CVE assigned: CVE-2008-3432 > > - vim 6.2 and 6.3 (mch_expand_wildcards) > > - http://www.openwall.com/lists/oss-security/2008/07/15/4 I guess you can safely use 6.2.429 - 6.3.059 here, as it was identified which change introduced and which resolved the problem. > tar.vim > > - Report TAR-3 > > assignment of CVE-2008-3074 to "tarplugin" > > http://www.openwall.com/lists/oss-security/2008/07/10/7 > > - already used by rPath in advisory Was it? There are very few public references of this id found by google. rPath link goes to their issue tracker: https://issues.rpath.com/browse/RPL-2651 > zip.vim > > - Report ZIP-1 > > rdancer says "zip.vim" as well as "zipPlugin.vim" " zip.vim: Handles browsing zipfiles " AUTOLOAD PORTION " zipPlugin.vim: Handles browsing zipfiles " PLUGIN PORTION zipPlugin.vim only seems to be an interface to functionality implemented in zip.vim. Actual issues should be in zip.vim, but terms are likely used as synonyms in the advisory. > - Vim 7.1.298 and 6.4 vim-6.4.tar.bz2 does not contain zip.vim, and it is not added by subsequent 6.4 patches ftp://ftp.vim.org/pub/vim/patches/6.4/ , I guess this should be 7.0+, just like tar.vim issues. > - Report ZIP-2 > > Tomas Hoger suggests "still unfixed" > > http://www.openwall.com/lists/oss-security/2008/07/10/7 That comment was based on Jan's advisory vulnerablevim-netrw.html with was updated to cover current state the upstream fixes, and was still listing tar and zip as vulnerable. > - CVE-2008-3075 assigned; used by rPath > > - since CVE-2008-2712 issues were fixed and zip.vim remains > unfixed, a SPLIT from CVE-2008-2712 is reasonable Similar to CVE-2008-3074 above. > - Report ZIP-3 > > Tomas Hoger says "only 7.0 and 7.1" affected In context of GA versions, without additional patches. I'm not sure what is the current status wrt 7.1 official patches. 7.0 should be first affected, all 7.0.x should be affected. > 3) Given the varying results for TAR-1 through TAR-4, should zip.vim > be split from the tar issues? What about zipplugin.vim? Given http://www.openwall.com/lists/oss-security/2008/07/08/12 , they are currently split. > 4) It might be reasonable to remove item (2) from CVE-2008-2712. Probably yes, based on first affected versions. > Looking at netrw.v2: > > - Report NETRW2-a > > rdancer says "mx" and "mz" in: > http://www.rdancer.org/vulnerablevim-netrw.html > > NO version information provided in this advisory, but title > indicates "Netrw version 125, Vim 7.2a.10" > > - Report NETRW2-b > > Tomas Hoger mentions "mz and mc" in: > http://www.openwall.com/lists/oss-security/2008/07/15/4 > > but: mc is probably referring to netrw.v3, so not relevant > here > > mz "should only affect 7.2 alpha" Actually, advisory is: 1. Compression and Decompression (The ``mz'' Command) (which mentions mx and mz, context of mx is bit unclear) netrw.v2 demonstrates mz flaw. 2. Copying Files (The ``mc'' Command) demonstrated by netrw.v3 All 3 commands - mx, mz and mc are only recognized by netrw version as bundled with 7.2 alpha. These issues did not affect 7.1.x and previous. > 1) What role, if any, does "mf" play (NETRW2-c)? It's listed as a > "prerequisite" then nothing else is said. Does it have a > vulnerability? Or does the victim need to mark a file before > decompressing it? mf is used in netrw.v[23] to mark files, before compress / copy is run on them. > 3) Which combination of mx, mz, and mf is really being covered by > the netrw.v2 test case? mf mz is command sequence executed. > Looking at netrw.v3: > > 1) NETRW3-c is clearly different, so CVE-2008-3432 is assigned. It was not the purpose of netrw.v3 to demonstrate this, it just accidentally uncovered this issue. Taking into account which versions are affect by this, I guess it's quite unlikely this affects anyone but us at this point in time. > 2) Are NETRW3-a and NETRW3-b talking about the same issue? Probably not. -a talks about mx and mz, but demonstrates mz. -b is about -mc. Shour be different issues. > Looking at netrw explorer.vim plugin: > > - Report EXP-1 > > "netrw" test case triggers "similar problem" in explorer.vim: > > http://www.openwall.com/lists/oss-security/2008/07/15/2 > > - in vim 6.x > > - Report EXP-2 > > "netrw.v4" test case does not affect explorer.vim > > > 1) Does this need a separate ID? If not, which does it belong with? Given that it affects different plugins, separate id seems to make sense wrt to the rules how CVE ids are usually assigned. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.