Re: git: 003195a3c754 - main - vuxml: Document vim code execution

Reply: Fernando_Apesteguía : "Re: git: 003195a3c754 - main - vuxml: Document vim code execution"
In reply to: Adam Weinberger : "git: 003195a3c754 - main - vuxml: Document vim code execution"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Dan Langille <dan_at_langille.org>
Date: Mon, 03 Mar 2025 12:42:59 UTC
Hello,

FreshPorts barfed on this one, and didn't give me much useful information.

Sorry I can't follow up on this to fix it. I must work on something else right now.

However, it may be a mismatched tag:

[12:30 dvl-ingress01 dvl /usr/local/libexec/freshports] % echo "perl ./process_vuxml.pl --filename=/jails/freshports/usr/ports/security/vuxml/vuln.xml --showreasons" | sudo su -fm freshports
process_vuxml.pl starts
reasons will be displayed
(there is usually a delay before further output)

mismatched tag at line 34, column 3, byte 1421
error in processing external entity reference at line 84, column 0, byte 3678 at /usr/local/lib/perl5/site_perl/mach/5.38/XML/Parser.pm line 187.

`make validate` seems to confirm that:

[12:42 mydev dvl /usr/ports/security/vuxml] % sudo make validate
xmllint -noent /usr/ports/security/vuxml/vuln.xml > /usr/ports/security/vuxml/vuln-flat.xml
/usr/ports/security/vuxml/vuln/2025.xml:34: parser error : Opening and ending tag mismatch: p line 31 and blockquote
	</blockquote>
	             ^
/usr/ports/security/vuxml/vuln/2025.xml:35: parser error : Opening and ending tag mismatch: blockquote line 17 and body
	</body>
	       ^
/usr/ports/security/vuxml/vuln/2025.xml:36: parser error : Opening and ending tag mismatch: body line 15 and description
    </description>
                  ^
/usr/ports/security/vuxml/vuln/2025.xml:44: parser error : Opening and ending tag mismatch: description line 14 and vuln
  </vuln>
         ^
/usr/ports/security/vuxml/vuln/2025.xml:1953: parser error : Premature end of data in tag vuln line 1

^
/usr/ports/security/vuxml/vuln/2025.xml:1953: parser error : chunk is not well balanced

^
/usr/ports/security/vuxml/vuln.xml:84: parser error : Entity 'vuln-2025' failed to parse
&vuln-2025;
           ^
*** Error code 1

Stop.
make: stopped in /usr/ports/security/vuxml


On Sun, Mar 2, 2025, at 11:45 PM, Adam Weinberger wrote:
> The branch main has been updated by adamw:
>
> URL: 
> https://cgit.FreeBSD.org/ports/commit/?id=003195a3c754204bc61aaa39fea85fd62004b014
>
> commit 003195a3c754204bc61aaa39fea85fd62004b014
> Author:     Adam Weinberger <adamw@FreeBSD.org>
> AuthorDate: 2025-03-03 04:45:48 +0000
> Commit:     Adam Weinberger <adamw@FreeBSD.org>
> CommitDate: 2025-03-03 04:45:48 +0000
>
>     vuxml: Document vim code execution
> ---
>  security/vuxml/vuln/2025.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 45 insertions(+)
>
> diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
> index 15bf6827ba4e..b5008bde1e8a 100644
> --- a/security/vuxml/vuln/2025.xml
> +++ b/security/vuxml/vuln/2025.xml
> @@ -1,3 +1,48 @@
> +  <vuln vid="398d1ec1-f7e6-11ef-bb15-002590af0794">
> +    <topic>vim -- Potential code execution</topic>
> +    <affects>
> +      <package>
> +	<name>vim</name>
> +	<name>vim-gtk2</name>
> +	<name>vim-gtk3</name>
> +	<name>vim-motif</name>
> +	<name>vim-x11</name>
> +	<name>vim-tiny</name>
> +	<range><lt>9.1.1164</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +	<body xmlns="http://www.w3.org/1999/xhtml">
> +	<p>vim reports:</p>
> +	<blockquote 
> cite="https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3">
> +	  <h1>Summary</h1>
> +	  <p>Potential code execution with tar.vim and special crafted tar 
> files</p>
> +	  <h1>Description</h1>
> +	  <p>Vim is distributed with the tar.vim plugin, that allows easy
> +	  editing and viewing of (compressed or uncompressed) tar files.</p>
> +	  <p>Since commit 129a844 (Nov 11, 2024 runtime(tar): Update tar.vim 
> to
> +	  support permissions), the tar.vim plugin uses the ":read " ex 
> command
> +	  line to append below the cursor position, however the is not 
> sanitized
> +	  and is taken literaly from the tar archive. This allows to execute
> +	  shell commands via special crafted tar archives. Whether this really
> +	  happens, depends on the shell being used ('shell' option, which is 
> set
> +	  using $SHELL).</p>
> +	  <h1>Impact</h1>
> +	  <p>Impact is high but a user must be convinced to edit such a file
> +	  using Vim which will reveal the filename, so a careful user may 
> suspect
> +	  some strange things going on.
> +	</blockquote>
> +	</body>
> +    </description>
> +    <references>
> +      
> <url>https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3</url>
> +    </references>
> +    <dates>
> +      <discovery>2025-03-02</discovery>
> +      <entry>2025-03-02</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="8fb9101e-f58a-11ef-b4e4-2cf05da270f3">
>      <topic>Gitlab -- Vulnerabilities</topic>
>      <affects>

-- 
  Dan Langille
  dan@langille.org