Friday, September 29, 2017

Re: VIM and NVD Vulnerability

While I can see value in fixing the invalid-free instance described,
a vimscript can already call out to any shell command it wants.

$ echo 'Important file, do not delete'! > important_file.txt
$ echo "call system('touch demo.txt')" > demo.vim
$ echo "call system('rm important_file.txt')" >> demo.vim
$ vim -S demo.vim -cq
$ ls demo.txt important_file.txt
demo.txt

So I'm not sure there's any *security* issue here that doesn't come
with being able to execute arbitrary commands.

-tim



On 2017-09-28 18:29, Ramsey, Susanne B. wrote:
> Greetings;
>
> The National Vulnerability Database (NVD) lists a high
> vulnerability for VIM 8.0.
> https://nvd.nist.gov/vuln/detail/CVE-2017-11109 Vim 8.0 allows
> attackers to cause a denial of service or possibly have unspecified
> other impact via a crafted source (aka -S) file. NOTE: there might
> be a limited number of scenarios in which this has security
> relevance.
>
>
> Unfortunately, the info provided in the CVE does not specify if it
> is only the initial release 8.0 or the subsequent patched versions
> that are vulnerable. I have searched the VIM website readme and
> other documents but can't find the answer, so I am turning to you.
> I appreciate your assistance. Is the current version still
> vulnerable to the issue noted above or has this been remediated in
> the patch updates?
>
> Best regards,
> Susanne Ramsey
>
>
> --
> --
> You received this message from the "vim_use" maillist.
> Do not top-post! Type your reply below the text you are replying to.
> For more information, visit http://www.vim.org/maillist.php
>
> ---
> You received this message because you are subscribed to the Google
> Groups "vim_use" group. To unsubscribe from this group and stop
> receiving emails from it, send an email to
> vim_use+unsubscribe@googlegroups.com. For more options, visit
> https://groups.google.com/d/optout.


--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)