Re: vim modeline vulnerability
Hi Thomas,
I have already, now many weeks ago, submitted a fixed vim package to the
Security Team. When they are ready (have reviewed, have time, etc),
they will make a DSA. I've asked them if there's anything else I can do
for them, with no reply. I suspect that they are occupied with other
security bugs.
Yours,
Luca
On Mon, Mar 10, 2003 at 08:18:21PM +0100, Thomas Krennwallner wrote:
> Hi!
>
> Accourding to http://www.guninski.com/vim1.html vim is vulnerable in
> woody and sarge (I tried it myself on both).
>
> ChangeLog of vim (1:6.1-266+1) in sid says:
>
> + 6.1.265: libcall() can be used in 'foldexpr' to call any system
> function. rename(), delete() and remote_send() can also be
> used in 'foldexpr'. These are security problems.
>
> Will there be a security update of vim in woody?
>
> Last discussion of this bug was in Jan 2003:
> http://lists.debian.org/debian-security/2003/debian-security-200301/msg00153.html
>
> so long
> Thomas
>
> --
> ___ Obviously we do not want to leave zombies around.
> _/___\ - W. Richard Stevens
> ( ^ > Thomas Krennwallner <djmaecki at ull dot at>
> / \ 1024D/67A1DA7B 9484 D99D 2E1E 4E02 5446 DAD9 FF58 4E59 67A1 DA7B
> (__\/_)_ http://bigfish.ull.at/~djmaecki/
--
Luca Filipozzi
"Linux gives us the power to crush those that oppose us." - switchlinux
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D
Reply to: