Full Disclosure mailing list archives

FLEA-2007-0014-1: vim

From: Foresight Linux Essential Announcement Service <foresight-security-noreply () foresightlinux org>
Date: Mon, 30 Apr 2007 13:11:52 -0400

Foresight Linux Essential Advisory: 2007-0014-1
Published: 2007-04-30

Rating: Minor

Updated Versions:
     gvim=/foresight.rpath.org@fl:1-devel//1/7.0.235-1-1
     vim=/foresight.rpath.org@fl:1-devel//1/7.0.235-1-1
     vim-minimal=/foresight.rpath.org@fl:1-devel//1/7.0.235-1-1
     group-dist=/foresight.rpath.org@fl:1-devel//1/1.2.1-0.3-2

References:
     https://issues.rpath.com/browse/RPL-1320
     http://marc.info/?t=117762599300001&r=1&w=2

Description:
     Previous versions of the vim package allowed two functions, feedkeys() and 
writefile(), to be used in the sandbox. Functions executed via modelines in 
files being edited are verified by the sandbox; a user who is coerced into 
opening a specially-crafted file could cause the system to execute arbitrary 
shell code supplied by the attacker.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

FLEA-2007-0014-1: vim Foresight Linux Essential Announcement Service (Apr 30)