Vulnerabilities > CVE-2007-2953 - Remote Format String vulnerability in VIM Development Group VIM 7.0/7.1/7.1.38
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20081125_VIM_ON_SL3_X.NASL description Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 60500 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60500 title Scientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60500); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:18"); script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-3432", "CVE-2008-4101"); script_name(english:"Scientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101) SL3 and SL4 Only: A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code. (CVE-2008-3432) SL5 Only: Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3076) SL5 Only: A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075) SL5 Only: A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074) Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712) Ulf Härnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0811&L=scientific-linux-errata&T=0&P=1936 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7ee91c3b" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 78, 94, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL3", reference:"vim-X11-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"SL3", reference:"vim-common-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"SL3", reference:"vim-enhanced-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"SL3", reference:"vim-minimal-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"SL4", reference:"vim-X11-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"SL4", reference:"vim-common-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"SL4", reference:"vim-enhanced-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"SL4", reference:"vim-minimal-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"SL5", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"SL5", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"SL5", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"SL5", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE9_11722.NASL description This update of Vim addresses a format-string bug in last seen 2020-06-01 modified 2020-06-02 plugin id 41148 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41148 title SuSE9 Security Update : vim and gvim (YOU Patch Number 11722) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41148); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:29"); script_cve_id("CVE-2007-2953"); script_name(english:"SuSE9 Security Update : vim and gvim (YOU Patch Number 11722)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update of Vim addresses a format-string bug in 'helptags'. This bug can be exploited to execute code with the privileges of the user running Vim. (CVE-2007-2953)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-2953.html" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 11722."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"gvim-6.2-235.4")) flag++; if (rpm_check(release:"SUSE9", reference:"vim-6.2-235.4")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1ED032223C6511DCB3D30016179B2DD5.NASL description A Secunia Advisory reports : A format string error in the last seen 2020-06-01 modified 2020-06-02 plugin id 25802 published 2007-07-30 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25802 title FreeBSD : vim -- Command Format String Vulnerability (1ed03222-3c65-11dc-b3d3-0016179b2dd5) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(25802); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2007-2953"); script_xref(name:"Secunia", value:"25941"); script_name(english:"FreeBSD : vim -- Command Format String Vulnerability (1ed03222-3c65-11dc-b3d3-0016179b2dd5)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "A Secunia Advisory reports : A format string error in the 'helptags_one()' function in src/ex_cmds.c when running the 'helptags' command can be exploited to execute arbitrary code via specially crafted help files." ); # https://vuxml.freebsd.org/freebsd/1ed03222-3c65-11dc-b3d3-0016179b2dd5.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?168fc9f9" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:vim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:vim-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:vim-lite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:vim-ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:vim6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:vim6-ruby"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/27"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/07/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"vim<7.1.39")) flag++; if (pkg_test(save_report:TRUE, pkg:"vim-console<7.1.39")) flag++; if (pkg_test(save_report:TRUE, pkg:"vim-lite<7.1.39")) flag++; if (pkg_test(save_report:TRUE, pkg:"vim-ruby<7.1.39")) flag++; if (pkg_test(save_report:TRUE, pkg:"vim6<7.1.39")) flag++; if (pkg_test(save_report:TRUE, pkg:"vim6-ruby<7.1.39")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-236.NASL description Several vulnerabilities were found in the vim editor : A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712). Ulf Härnhammar of Secunia Research found a format string flaw in vim last seen 2020-06-01 modified 2020-06-02 plugin id 36821 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36821 title Mandriva Linux Security Advisory : vim (MDVSA-2008:236-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:236. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(36821); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-2953", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101", "CVE-2008-4677"); script_bugtraq_id(25095); script_xref(name:"MDVSA", value:"2008:236-1"); script_name(english:"Mandriva Linux Security Advisory : vim (MDVSA-2008:236-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were found in the vim editor : A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712). Ulf Härnhammar of Secunia Research found a format string flaw in vim's help tags processor. If a user were tricked into executing the helptags command on malicious data, it could result in the execution of arbitrary code as the user running vim (CVE-2008-2953). A flaw was found in how tar.vim handled TAR archive browsing. If a user were to open a special TAR archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3074). A flaw was found in how zip.vim handled ZIP archive browsing. If a user were to open a special ZIP archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3075). A number of security flaws were found in netrw.vim, the vim plugin that provides the ability to read and write files over the network. If a user opened a specially crafted file or directory with the netrw plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3076). A number of input validation flaws were found in vim's keyword and tag handling. If vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitary code as the user running vim (CVE-2008-4101). A vulnerability was found in certain versions of netrw.vim where it would send FTP credentials stored for an FTP session to subsequent FTP sessions to servers on different hosts, exposing FTP credentials to remote hosts (CVE-2008-4677). This update provides vim 7.2 (patchlevel 65) which corrects all of these issues and introduces a number of new features and bug fixes. Update : The previous vim update incorrectly introduced a requirement on libruby and also conflicted with a file from the git-core package (in contribs). These issues have been corrected with these updated packages." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 78, 94, 255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-X11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-minimal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"vim-X11-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"vim-common-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"vim-enhanced-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"vim-minimal-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"vim-X11-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"vim-common-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"vim-enhanced-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"vim-minimal-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"vim-X11-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"vim-common-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"vim-enhanced-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"vim-minimal-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0617.NASL description From Red Hat Security Advisory 2008:0617 : Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 67732 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67732 title Oracle Linux 3 / 4 : vim (ELSA-2008-0617) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0617 and # Oracle Linux Security Advisory ELSA-2008-0617 respectively. # include("compat.inc"); if (description) { script_id(67732); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:07"); script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3432", "CVE-2008-4101"); script_xref(name:"RHSA", value:"2008:0617"); script_name(english:"Oracle Linux 3 / 4 : vim (ELSA-2008-0617)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2008:0617 : Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101) A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code. (CVE-2008-3432) Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712) Ulf Harnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953) All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2008-November/000814.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2008-November/000815.html" ); script_set_attribute(attribute:"solution", value:"Update the affected vim packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:vim-X11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:vim-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:vim-minimal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/31"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 3 / 4", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL3", cpu:"i386", reference:"vim-X11-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"vim-X11-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"EL3", cpu:"i386", reference:"vim-common-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"vim-common-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"EL3", cpu:"i386", reference:"vim-enhanced-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"vim-enhanced-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"EL3", cpu:"i386", reference:"vim-minimal-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"EL3", cpu:"x86_64", reference:"vim-minimal-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"EL4", reference:"vim-X11-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"EL4", reference:"vim-common-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"EL4", reference:"vim-enhanced-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"EL4", reference:"vim-minimal-6.3.046-1.el4_7.5z")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim-X11 / vim-common / vim-enhanced / vim-minimal"); }NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0004.NASL description a. Updated OpenSSL package for the Service Console fixes a security issue. OpenSSL 0.9.7a-33.24 and earlier does not properly check the return value from the EVP_VerifyFinal function, which could allow a remote attacker to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-5077 to this issue. b. Update bind package for the Service Console fixes a security issue. A flaw was discovered in the way Berkeley Internet Name Domain (BIND) checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0025 to this issue. c. Updated vim package for the Service Console addresses several security issues. Several input flaws were found in Visual editor IMproved last seen 2020-06-01 modified 2020-06-02 plugin id 40389 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40389 title VMSA-2009-0004 : ESX Service Console updates for openssl, bind, and vim code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2009-0004. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(40389); script_version("1.28"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3432", "CVE-2008-4101", "CVE-2008-5077", "CVE-2009-0021", "CVE-2009-0025", "CVE-2009-0046", "CVE-2009-0047", "CVE-2009-0048", "CVE-2009-0049", "CVE-2009-0050", "CVE-2009-0051", "CVE-2009-0124", "CVE-2009-0125", "CVE-2009-0127", "CVE-2009-0128", "CVE-2009-0130"); script_bugtraq_id(25095, 33150, 33151); script_xref(name:"VMSA", value:"2009-0004"); script_name(english:"VMSA-2009-0004 : ESX Service Console updates for openssl, bind, and vim"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. Updated OpenSSL package for the Service Console fixes a security issue. OpenSSL 0.9.7a-33.24 and earlier does not properly check the return value from the EVP_VerifyFinal function, which could allow a remote attacker to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-5077 to this issue. b. Update bind package for the Service Console fixes a security issue. A flaw was discovered in the way Berkeley Internet Name Domain (BIND) checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0025 to this issue. c. Updated vim package for the Service Console addresses several security issues. Several input flaws were found in Visual editor IMproved's (Vim) keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4101 to this issue. A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name, when opened by Vim causes the application to stop responding or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3432 to this issue. Several input flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2712 to this issue. A format string flaw was discovered in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running VIM. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2953 to this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000077.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 119, 287); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/27"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2009-03-31"); flag = 0; if (esx_check(ver:"ESX 2.5.5", patch:"13")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1008406")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1008408")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1008409")) flag++; if ( esx_check( ver : "ESX 3.0.3", patch : "ESX303-200903403-SG", patch_updates : make_list("ESX303-Rollup01", "ESX303-Update01") ) ) flag++; if ( esx_check( ver : "ESX 3.0.3", patch : "ESX303-200903405-SG", patch_updates : make_list("ESX303-Rollup01", "ESX303-Update01") ) ) flag++; if ( esx_check( ver : "ESX 3.0.3", patch : "ESX303-200903406-SG", patch_updates : make_list("ESX303-Rollup01", "ESX303-Update01") ) ) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200904406-SG", patch_updates : make_list("ESX350-Update05", "ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200904407-SG", patch_updates : make_list("ESX350-201002404-SG", "ESX350-Update05", "ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200904408-SG", patch_updates : make_list("ESX350-201012401-SG", "ESX350-Update05", "ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-200912402-SG", patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04") ) ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-168.NASL description A format string vulnerability in the helptags support in vim allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file. Updated packages have been patched to prevent this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 25945 published 2007-08-28 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25945 title Mandrake Linux Security Advisory : vim (MDKSA-2007:168) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2007:168. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(25945); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:49"); script_cve_id("CVE-2007-2953"); script_bugtraq_id(25095); script_xref(name:"MDKSA", value:"2007:168"); script_name(english:"Mandrake Linux Security Advisory : vim (MDKSA-2007:168)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A format string vulnerability in the helptags support in vim allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file. Updated packages have been patched to prevent this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-X11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-minimal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.0", reference:"vim-X11-7.0-16.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"vim-common-7.0-16.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"vim-enhanced-7.0-16.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"vim-minimal-7.0-16.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"vim-X11-7.0-16.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"vim-common-7.0-16.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"vim-enhanced-7.0-16.2mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"vim-minimal-7.0-16.2mdv2007.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-505-1.NASL description Ulf Harnhammar discovered that vim does not properly sanitise the last seen 2020-06-01 modified 2020-06-02 plugin id 28109 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28109 title Ubuntu 6.06 LTS / 6.10 / 7.04 : vim vulnerability (USN-505-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0580.NASL description Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 34953 published 2008-11-25 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34953 title RHEL 5 : vim (RHSA-2008:0580) NASL family SuSE Local Security Checks NASL id SUSE_GVIM-4095.NASL description This update of Vim addresses a format-string bug in last seen 2020-06-01 modified 2020-06-02 plugin id 29456 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29456 title SuSE 10 Security Update : vim and gvim (ZYPP Patch Number 4095) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0617.NASL description Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 37794 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37794 title CentOS 3 / 4 : vim (CESA-2008:0617) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1364.NASL description Several vulnerabilities have been discovered in the vim editor. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2953 Ulf Harnhammar discovered that a format string flaw in helptags_one() from src/ex_cmds.c (triggered through the last seen 2020-06-01 modified 2020-06-02 plugin id 25964 published 2007-09-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25964 title Debian DSA-1364-2 : vim - several vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_GVIM-4092.NASL description This update of Vim addresses a format-string bug in last seen 2020-06-01 modified 2020-06-02 plugin id 27258 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27258 title openSUSE 10 Security Update : gvim (gvim-4092) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0580.NASL description Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 43697 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43697 title CentOS 5 : vim (CESA-2008:0580) NASL family Misc. NASL id VMWARE_VMSA-2009-0004_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, is affected by multiple vulnerabilities : - A format string flaw exists in the Vim help tag processor in the helptags_one() function that allows a remote attacker to execute arbitrary code by tricking a user into executing the last seen 2020-06-01 modified 2020-06-02 plugin id 89112 published 2016-03-03 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89112 title VMware ESX Multiple Vulnerabilities (VMSA-2009-0004) (remote check) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0617.NASL description Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 34954 published 2008-11-25 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34954 title RHEL 3 / 4 : vim (RHSA-2008:0617) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0580.NASL description From Red Hat Security Advisory 2008:0580 : Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 67722 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67722 title Oracle Linux 5 : vim (ELSA-2008-0580)
Oval
accepted 2013-04-29T04:14:40.356-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command. family unix id oval:org.mitre.oval:def:11549 status accepted submitted 2010-07-09T03:56:16-04:00 title Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command. version 27 accepted 2009-11-30T04:00:45.365-05:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard name Michael Wood organization Hewlett-Packard
definition_extensions comment VMWare ESX Server 3.0.3 is installed oval oval:org.mitre.oval:def:6026 comment VMWare ESX Server 3.0.2 is installed oval oval:org.mitre.oval:def:5613 comment VMware ESX Server 3.5.0 is installed oval oval:org.mitre.oval:def:5887
description Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command. family unix id oval:org.mitre.oval:def:6463 status accepted submitted 2009-09-23T15:39:02.000-04:00 title Vim HelpTags Command Remote Format String Vulnerability version 3
Redhat
| advisories |
| ||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 25095 CVE(CAN) ID: CVE-2007-2953 VIM是一款免费开放源代码文本编辑器,可使用在Unix/Linux操作系统下。 VIM的src/ex_cmds.c文件中的helptags_one()函数存在格式串处理漏洞,本地攻击者可能利用此漏洞提升自己的权限。 如果攻击者受骗对恶意数据运行了helptags命令的话,攻击者就可以通过特制的帮助文件执行任意代码。 VIM Development Group VIM 7.1 VIM Development Group VIM 6.4 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.039" target="_blank">ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.039</a> |
| id | SSV:2059 |
| last seen | 2017-11-19 |
| modified | 2007-08-01 |
| published | 2007-08-01 |
| reporter | Root |
| title | Vim HelpTags命令远程格式串处理漏洞 |
Statements
| contributor | Joshua Bressers |
| lastmodified | 2007-08-06 |
| organization | Red Hat |
| statement | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248542 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ |
References
- ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.039
- http://secunia.com/advisories/25941
- http://secunia.com/advisories/26285
- http://secunia.com/advisories/26522
- http://secunia.com/advisories/26594
- http://secunia.com/advisories/26653
- http://secunia.com/advisories/26674
- http://secunia.com/advisories/26822
- http://secunia.com/advisories/32858
- http://secunia.com/advisories/33410
- http://secunia.com/secunia_research/2007-66/advisory/
- http://support.avaya.com/elmodocs2/security/ASA-2009-001.htm
- http://www.attrition.org/pipermail/vim/2007-August/001770.html
- http://www.debian.org/security/2007/dsa-1364
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:168
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:236
- http://www.novell.com/linux/security/advisories/2007_18_sr.html
- http://www.redhat.com/support/errata/RHSA-2008-0580.html
- http://www.redhat.com/support/errata/RHSA-2008-0617.html
- http://www.securityfocus.com/archive/1/475076/100/100/threaded
- http://www.securityfocus.com/archive/1/502322/100/0/threaded
- http://www.securityfocus.com/bid/25095
- http://www.trustix.org/errata/2007/0026/
- http://www.ubuntu.com/usn/usn-505-1
- http://www.vmware.com/security/advisories/VMSA-2009-0004.html
- http://www.vupen.com/english/advisories/2007/2687
- http://www.vupen.com/english/advisories/2009/0033
- http://www.vupen.com/english/advisories/2009/0904
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35655
- https://issues.rpath.com/browse/RPL-1595
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11549
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6463