Vulnerabilities > CVE-2008-3075 - Code Injection vulnerability in VIM and Zipplugin.Vim
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20081125_VIM_ON_SL3_X.NASL description Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 60500 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60500 title Scientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60500); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:18"); script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-3432", "CVE-2008-4101"); script_name(english:"Scientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101) SL3 and SL4 Only: A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name that, when opened by Vim, caused the application to crash or, possibly, execute arbitrary code. (CVE-2008-3432) SL5 Only: Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3076) SL5 Only: A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075) SL5 Only: A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074) Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712) Ulf Härnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0811&L=scientific-linux-errata&T=0&P=1936 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7ee91c3b" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 78, 94, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL3", reference:"vim-X11-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"SL3", reference:"vim-common-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"SL3", reference:"vim-enhanced-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"SL3", reference:"vim-minimal-6.3.046-0.30E.11")) flag++; if (rpm_check(release:"SL4", reference:"vim-X11-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"SL4", reference:"vim-common-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"SL4", reference:"vim-enhanced-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"SL4", reference:"vim-minimal-6.3.046-1.el4_7.5z")) flag++; if (rpm_check(release:"SL5", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"SL5", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"SL5", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"SL5", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-236.NASL description Several vulnerabilities were found in the vim editor : A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712). Ulf Härnhammar of Secunia Research found a format string flaw in vim last seen 2020-06-01 modified 2020-06-02 plugin id 36821 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36821 title Mandriva Linux Security Advisory : vim (MDVSA-2008:236-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:236. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(36821); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-2953", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101", "CVE-2008-4677"); script_bugtraq_id(25095); script_xref(name:"MDVSA", value:"2008:236-1"); script_name(english:"Mandriva Linux Security Advisory : vim (MDVSA-2008:236-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were found in the vim editor : A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712). Ulf Härnhammar of Secunia Research found a format string flaw in vim's help tags processor. If a user were tricked into executing the helptags command on malicious data, it could result in the execution of arbitrary code as the user running vim (CVE-2008-2953). A flaw was found in how tar.vim handled TAR archive browsing. If a user were to open a special TAR archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3074). A flaw was found in how zip.vim handled ZIP archive browsing. If a user were to open a special ZIP archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3075). A number of security flaws were found in netrw.vim, the vim plugin that provides the ability to read and write files over the network. If a user opened a specially crafted file or directory with the netrw plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3076). A number of input validation flaws were found in vim's keyword and tag handling. If vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitary code as the user running vim (CVE-2008-4101). A vulnerability was found in certain versions of netrw.vim where it would send FTP credentials stored for an FTP session to subsequent FTP sessions to servers on different hosts, exposing FTP credentials to remote hosts (CVE-2008-4677). This update provides vim 7.2 (patchlevel 65) which corrects all of these issues and introduces a number of new features and bug fixes. Update : The previous vim update incorrectly introduced a requirement on libruby and also conflicted with a file from the git-core package (in contribs). These issues have been corrected with these updated packages." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 78, 94, 255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-X11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-minimal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"vim-X11-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"vim-common-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"vim-enhanced-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"vim-minimal-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"vim-X11-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"vim-common-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"vim-enhanced-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"vim-minimal-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"vim-X11-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"vim-common-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"vim-enhanced-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"vim-minimal-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_0_GVIM-090225.NASL description The VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin last seen 2020-06-01 modified 2020-06-02 plugin id 39980 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39980 title openSUSE Security Update : gvim (gvim-561) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update gvim-561. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(39980); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:34"); script_cve_id("CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4677", "CVE-2008-6235", "CVE-2009-0316"); script_name(english:"openSUSE Security Update : gvim (gvim-561)"); script_summary(english:"Check for the gvim-561 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=406693" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=436755" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=439148" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=457098" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=465255" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=470100" ); script_set_attribute(attribute:"solution", value:"Update the affected gvim packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 78, 94, 255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gvim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-data"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"gvim-7.2-9.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"vim-7.2-9.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"vim-base-7.2-9.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"vim-data-7.2-9.1") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"vim-enhanced-7.2-9.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0580.NASL description Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 34953 published 2008-11-25 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34953 title RHEL 5 : vim (RHSA-2008:0580) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0580. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(34953); script_version ("1.28"); script_cvs_date("Date: 2019/10/25 13:36:13"); script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101", "CVE-2008-6235"); script_bugtraq_id(25095); script_xref(name:"RHSA", value:"2008:0580"); script_name(english:"RHEL 5 : vim (RHSA-2008:0580)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101) Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3076) A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075) A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074) Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712) Ulf Harnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953) All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-2953" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-2712" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-3074" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-3075" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-4101" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-6235" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2008:0580" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 78, 94); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-X11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:vim-minimal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/31"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2008:0580"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim-X11 / vim-common / vim-enhanced / vim-minimal"); } }NASL family SuSE Local Security Checks NASL id SUSE_GVIM-6023.NASL description The VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin last seen 2020-06-01 modified 2020-06-02 plugin id 35921 published 2009-03-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35921 title openSUSE 10 Security Update : gvim (gvim-6023) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update gvim-6023. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(35921); script_version ("1.10"); script_cvs_date("Date: 2019/10/25 13:36:36"); script_cve_id("CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4677", "CVE-2008-6235", "CVE-2009-0316"); script_name(english:"openSUSE 10 Security Update : gvim (gvim-6023)"); script_summary(english:"Check for the gvim-6023 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin" ); script_set_attribute(attribute:"solution", value:"Update the affected gvim packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 78, 94, 255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gvim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-data"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.3", reference:"gvim-7.2-9.1") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"vim-7.2-9.1") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"vim-base-7.2-9.1") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"vim-data-7.2-9.1") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"vim-enhanced-7.2-9.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0580.NASL description Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 43697 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43697 title CentOS 5 : vim (CESA-2008:0580) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0580 and # CentOS Errata and Security Advisory 2008:0580 respectively. # include("compat.inc"); if (description) { script_id(43697); script_version("1.17"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101", "CVE-2008-6235"); script_bugtraq_id(25095); script_xref(name:"RHSA", value:"2008:0580"); script_name(english:"CentOS 5 : vim (CESA-2008:0580)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim's keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-4101) Multiple security flaws were found in netrw.vim, the Vim plug-in providing file reading and writing over the network. If a user opened a specially crafted file or directory with the netrw plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3076) A security flaw was found in zip.vim, the Vim plug-in that handles ZIP archive browsing. If a user opened a ZIP archive using the zip.vim plug-in, it could result in arbitrary code execution as the user running Vim. (CVE-2008-3075) A security flaw was found in tar.vim, the Vim plug-in which handles TAR archive browsing. If a user opened a TAR archive using the tar.vim plug-in, it could result in arbitrary code execution as the user runnin Vim. (CVE-2008-3074) Several input sanitization flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. (CVE-2008-2712) Ulf Harnhammar, of Secunia Research, discovered a format string flaw in Vim's help tag processor. If a user was tricked into executing the 'helptags' command on malicious data, arbitrary code could be executed with the permissions of the user running Vim. (CVE-2007-2953) All Vim users are advised to upgrade to these updated packages, which contain backported patches to correct these issues." ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015453.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ab334c2c" ); # https://lists.centos.org/pipermail/centos-announce/2008-November/015454.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?928c4900" ); script_set_attribute(attribute:"solution", value:"Update the affected vim packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 78, 94); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:vim-X11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:vim-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:vim-minimal"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/31"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"CentOS-5", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"CentOS-5", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++; if (rpm_check(release:"CentOS-5", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim-X11 / vim-common / vim-enhanced / vim-minimal"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1733.NASL description Several vulnerabilities have been found in vim, an enhanced vi editor. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-2712 Jan Minar discovered that vim did not properly sanitise inputs before invoking the execute or system functions inside vim scripts. This could lead to the execution of arbitrary code. - CVE-2008-3074 Jan Minar discovered that the tar plugin of vim did not properly sanitise the filenames in the tar archive or the name of the archive file itself, making it prone to arbitrary code execution. - CVE-2008-3075 Jan Minar discovered that the zip plugin of vim did not properly sanitise the filenames in the zip archive or the name of the archive file itself, making it prone to arbitrary code execution. - CVE-2008-3076 Jan Minar discovered that the netrw plugin of vim did not properly sanitise the filenames or directory names it is given. This could lead to the execution of arbitrary code. - CVE-2008-4101 Ben Schmidt discovered that vim did not properly escape characters when performing keyword or tag lookups. This could lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 35764 published 2009-03-04 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35764 title Debian DSA-1733-1 : vim - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1733. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(35764); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101"); script_xref(name:"DSA", value:"1733"); script_name(english:"Debian DSA-1733-1 : vim - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been found in vim, an enhanced vi editor. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-2712 Jan Minar discovered that vim did not properly sanitise inputs before invoking the execute or system functions inside vim scripts. This could lead to the execution of arbitrary code. - CVE-2008-3074 Jan Minar discovered that the tar plugin of vim did not properly sanitise the filenames in the tar archive or the name of the archive file itself, making it prone to arbitrary code execution. - CVE-2008-3075 Jan Minar discovered that the zip plugin of vim did not properly sanitise the filenames in the zip archive or the name of the archive file itself, making it prone to arbitrary code execution. - CVE-2008-3076 Jan Minar discovered that the netrw plugin of vim did not properly sanitise the filenames or directory names it is given. This could lead to the execution of arbitrary code. - CVE-2008-4101 Ben Schmidt discovered that vim did not properly escape characters when performing keyword or tag lookups. This could lead to the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486502" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506919" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-2712" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-3074" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-3075" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-3076" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4101" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1733" ); script_set_attribute( attribute:"solution", value: "For the oldstable distribution (etch), these problems have been fixed in version 1:7.0-122+1etch5. For the stable distribution (lenny), these problems have been fixed in version 1:7.1.314-3+lenny1, which was already included in the lenny release." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 78, 94); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:vim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"vim", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-common", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-doc", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-full", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-gnome", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-gtk", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-gui-common", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-lesstif", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-perl", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-python", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-ruby", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-runtime", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-tcl", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"4.0", prefix:"vim-tiny", reference:"1:7.0-122+1etch5")) flag++; if (deb_check(release:"5.0", prefix:"vim", reference:"1:7.1.314-3+lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_1_GVIM-090225.NASL description The VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin last seen 2020-06-01 modified 2020-06-02 plugin id 40230 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40230 title openSUSE Security Update : gvim (gvim-561) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update gvim-561. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(40230); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:34"); script_cve_id("CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4677", "CVE-2008-6235", "CVE-2009-0316"); script_name(english:"openSUSE Security Update : gvim (gvim-561)"); script_summary(english:"Check for the gvim-561 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=406693" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=436755" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=439148" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=457098" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=465255" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=470100" ); script_set_attribute(attribute:"solution", value:"Update the affected gvim packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 78, 94, 255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gvim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-data"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-enhanced"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.1", reference:"gvim-7.2-7.4.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"vim-7.2-7.4.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"vim-base-7.2-7.4.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"vim-data-7.2-7.4.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"vim-enhanced-7.2-7.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0580.NASL description From Red Hat Security Advisory 2008:0580 : Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim last seen 2020-06-01 modified 2020-06-02 plugin id 67722 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67722 title Oracle Linux 5 : vim (ELSA-2008-0580)
Oval
| accepted | 2013-04-29T04:03:57.332-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | and in external mappings to this identifier. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:10246 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | and in external mappings to this identifier. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506919
- http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
- http://marc.info/?l=bugtraq&m=121494431426308&w=2
- http://secunia.com/advisories/34418
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0324
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:236
- http://www.openwall.com/lists/oss-security/2008/07/07/1
- http://www.openwall.com/lists/oss-security/2008/07/07/4
- http://www.openwall.com/lists/oss-security/2008/07/08/12
- http://www.openwall.com/lists/oss-security/2008/07/10/7
- http://www.openwall.com/lists/oss-security/2008/07/13/1
- http://www.openwall.com/lists/oss-security/2008/07/15/4
- http://www.openwall.com/lists/oss-security/2008/08/01/1
- http://www.openwall.com/lists/oss-security/2008/10/15/1
- http://www.openwall.com/lists/oss-security/2008/10/20/2
- http://www.rdancer.org/vulnerablevim.html
- http://www.redhat.com/support/errata/RHSA-2008-0580.html
- http://www.securityfocus.com/bid/32463
- https://bugzilla.redhat.com/show_bug.cgi?id=467432
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10246