The Vim Text Editor Security Advisories
This project is maintained by rdancer
Arbitrary Code Execution in Commands: K, Control-], g] Product : Vim -- Vi IMproved Versions : >= 3.0 (possibly older), < 7.2.010 (?) Impact : Arbitrary code execution Wherefrom: Local CVE : CVE-2008-4101 Original : http://www.rdancer.org/vulnerablevim-K.html Insufficient sanitization can lead to Vim executing arbitrary commands when performing keyword or tag lookup. Ben Schmidt discovered this vulnerability. Last updated 2008-09-16
Netrw: FTP User Name and Password Disclosure Product : Vim -- Vi IMproved Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109 Impact : Credentials disclosure Wherefrom: Remote Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html The Vim Netrw Plugin shares the FTP user name and password across all FTP sessions. Every time Vim makes a new FTP connection, it sends the user name and password of the previous FTP session to the FTP server. Last updated 2008-08-12
Unfixed Vulnerabilities in Tar Plugin Version 20 Product : Vim -- Vi IMproved Version : Vim >= 7.0 (possibly older), present in 7.2c.002 autoload/tar.vim >= 9 (possibly older), present in version 20 Impact : Arbitrary code execution Wherefrom: Local, remote CVE : CVE-2008-2712 Original : http://www.rdancer.org/vulnerablevim-tarplugin-update.html The Vim Tar Plugin vulnerabilities published in our previous advisories have been addressed, but the changes do not provide fix for all attack vectors. We analyses the vulnerabilities remaining in ``$VIMRUNTIME/autoload/tar.vim''. Last updated 2008-08-08
Vim 7.2c.002 Fixes Arbitrary Command Execution when Handling Tar Archives Product : Vim -- Vi IMproved Version : Vim >= 7.0 (possibly older), fixed in 7.2c.002 autoload/tar.vim version >= 9 (possibly older) Impact : Arbitrary code execution Wherefrom: Local, remote Original : http://www.rdancer.org/vulnerablevim-tarplugin.v3.html Vim update fixes a vulnerability that can lead to potential arbitrary code execution when handling tar archives. The fnameescape() function does not sanitize input properly, which renders code that uses it vulnerable. Patch 7.2c.002 fixes the vulnerability. Last updated 2008-08-08
Flawed Fix of Arbitrary Code Execution Vulnerability in filetype.vim Product : Vim -- Vi IMproved Version : Tested with Vim 7.2b.10, filetype.vim 2008-07-17 Impact : Arbitrary code execution Wherefrom: Local and remote CVE : CVE-2008-2712 Original : http://www.rdancer.org/vulnerablevim-filetype.vim.updated.html http://www.rdancer.org/vulnerablevim-filetype.vim.updated.patch http://www.rdancer.org/vulnerablevim-latest.tar.bz2 This is an update of a previous advisory. Vim patch 7.1.300 which purported to fix the ``filetype.vim'' vulnerability did not fix the vulnerability. Last updated 2008-07-23
Insecure Temporary File Creation During Build: Arbitrary Code Execution Product : Vim -- Vi IMproved Versions : >=5.0 (possibly older; 4.6 and 3.0 not vulnerable), <7.2b.014 Impact : Arbitrary code execution Wherefrom: Local Original : http://www.rdancer.org/vulnerablevim-configure.in.html http://www.rdancer.org/vulnerablevim-configure.in.patch Insecure temporary file creation during the build process is vulnerable to symbolic link attacks, and arbitrary code execution. Patch provided. Update: There is no race condition. All files can be prepared beforehand, facilitating a reliable attack. Last updated 2008-07-26
Improper Implementation of shellescape()/Arbitrary Code Execution Product : Vim -- Vi IMproved Version : >= 7.2a.013; < 7.2b.005; tested with 7.2b Impact : Arbitrary code execution Wherefrom: Local, possibly remote Original : http://www.rdancer.org/vulnerablevim-shellescape.html http://www.rdancer.org/vulnerablevim-latest.tar.bz2 Improper implementation of the shellescape() function and lack of documentation can result in untrusted data being insufficiently sanitized, possibly leading to arbitrary code execution. Last updated 2008-07-17
Arbitrary code execution in Netrw version 127, Vim 7.2b Product : Vim -- Vi IMproved, Netrw Version : Tested with Vim 7.2b, Netrw 127 Impact : Arbitrary code execution Wherefrom: Local, possibly remote Original : http://www.rdancer.org/vulnerablevim-netrw.v5.html http://www.rdancer.org/vulnerablevim-latest.tar.bz2 Lack of sanitization throughout Netrw can lead to arbitrary code execution upon opening a directory with a crafted name. Last updated 2008-07-16
Arbitrary code execution in Netrw, fully patched Vim 7.2a Product : Vim -- Vi IMproved Version : Tested with 7.2a.10 Impact : Arbitrary code execution Wherefrom: Local, possibly remote Original : http://www.rdancer.org/vulnerablevim-netrw.v2.html Lack of sanitization can lead to arbitrary code execution. Last updated 2008-07-16
Collection of Vulnerabilities in Fully Patched Vim 7.1 Product : Vim -- Vi IMproved Version : Tested with 7.1.298 and 6.4; 7.2a.10 still partly vulnerable Impact : Arbitrary code execution Wherefrom: Local and remote Original : http://www.rdancer.org/vulnerablevim.html Improper quoting in some parts of Vim written in the Vim Script can lead to arbitrary code execution upon opening a crafted file. Last updated 2008-07-16