LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15
(Log in to post comments)

vim - modeline vulnerability

Posted Jan 23, 2003 12:54 UTC (Thu) by rwmj (subscriber, #5474) [Link]

I'm glad to see useful features from Microsoft Word being integrated at last into archaic Unix tools like 'vi'.

vim's got company in emacs

Posted Feb 7, 2003 18:49 UTC (Fri) by Max.Hyre (subscriber, #1054) [Link]

emacs is the same, if not worse. (See the node File Variables in the info docs.) You get not only to set random buffer-local variables, but also to evaluate arbitrary lisp code. Ouch!

At least the latter, by default, asks your permission, while the former prevents access to a number of variables deemed to be a particular risk.

Unfortunately, auto-setup for a given file is too handy to pass up, so I make it ask me everytime. Great, if I can avoid getting complacent about saying `yes'....

fixed in debian as well

Posted Jan 23, 2003 20:11 UTC (Thu) by erich (subscriber, #7127) [Link]

I remember seeing this fix in Debian...
Maybe only in unstable though:
vim (6.1.263-1) unstable; urgency=low

  [...]
  * debian/runtime/vimrc: added 'set nomodeline' to address potential
    security issue wherein malicious persons author files with hazardous
    modelines, users unwittingly open said files and vim evaluates the
    dangerous modelines
  [...]

 -- Luca Filipozzi <lfilipoz@debian.org>  Tue, 26 Nov 2002 09:46:26 -0800
So Debian unstable has modlines disabled by default. I don't enable them for emails i reply to.

vim - modeline vulnerability

Posted Mar 4, 2004 0:44 UTC (Thu) by dw (subscriber, #12017) [Link]

The initial Guninski advisory was so rushed that he failed to notice "libcallnr" as an alternative to "libcall". Upon return of "libcall", vim will attempt to read a char * from the integer returned by the called function. This, in the case of the advisory, should for all intents and purposes lead to a crash.

Just worth note. :)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds