-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: vim arbitrary commands execution through modelines Advisory number: CSSA-2004-015.0 Issue date: 2004 March 30 Cross reference: sr889557 fz528946 erg712560 CAN-2002-1377 ______________________________________________________________________________ 1. Problem Description vim 6.0 and 6.1, and possibly other versions, allows attackers to execute arbitrary commands using the libcall feature in modelines, which are not sandboxed but may be executed when vim is used as an editor for other products such as mutt. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1377 to this issue. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to vim-6.2-1.i386.rpm prior to vim-X11-6.2-1.i386.rpm prior to vim-help-6.2-1.i386.rpm prior to vim-i18n-6.2-1.i386.rpm OpenLinux 3.1.1 Workstation prior to vim-6.2-1.i386.rpm prior to vim-X11-6.2-1.i386.rpm prior to vim-help-6.2-1.i386.rpm prior to vim-i18n-6.2-1.i386.rpm 3. Solution The proper solution is to install the latest packages. Unix users with Linux Kernel Personality can use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/RPMS 4.2 Packages 2eaf8ff7d07ae09123dff2c16e68df5f vim-6.2-1.i386.rpm b9872220a38cad8103089dfe600a188d vim-X11-6.2-1.i386.rpm ec819c86427a02d6c8971ca6567efedd vim-help-6.2-1.i386.rpm 7ff1f641f70fc8fb216e2d683b814400 vim-i18n-6.2-1.i386.rpm 4.3 Installation rpm -Fvh vim-6.2-1.i386.rpm rpm -Fvh vim-X11-6.2-1.i386.rpm rpm -Fvh vim-help-6.2-1.i386.rpm rpm -Fvh vim-i18n-6.2-1.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-015.0/SRPMS 4.5 Source Packages 236756ca0c61400c475c8d84622ade61 vim-6.2-1.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/RPMS 5.2 Packages 2ebcc5f8e7b0d893b058fc241c7844b5 vim-6.2-1.i386.rpm a75f8d7349cfa8e1cb6ba23a0267a7e1 vim-X11-6.2-1.i386.rpm f618eaf8d81f2a8ac85ad9c517c28ae5 vim-help-6.2-1.i386.rpm cc12e062b2f69bbf2a6c861e0da0749b vim-i18n-6.2-1.i386.rpm 5.3 Installation rpm -Fvh vim-6.2-1.i386.rpm rpm -Fvh vim-X11-6.2-1.i386.rpm rpm -Fvh vim-help-6.2-1.i386.rpm rpm -Fvh vim-i18n-6.2-1.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-015.0/SRPMS 5.5 Source Packages 85709bfff745aeda4f4aa090cee834e7 vim-6.2-1.src.rpm 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377 http://lists.netsys.com/pipermail/full-disclosure/2002-December/003330.html http://www.guninski.com/vim1.html SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr889557 fz528946 erg712560. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements SCO would like to thank Georgi Guninski ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SCO/UNIX_SVR5) iD8DBQFAaicpbluZssSXDTERAtg7AJ9W4yP2cEe57fSBioimvf9bKPUHfQCg0aT+ ggzOutLoHFA0w4++nB9/G4U= =4eTx -----END PGP SIGNATURE-----