Re: git: 003195a3c754 - main - vuxml: Document vim code execution
- In reply to: Fernando_Apesteguía : "Re: git: 003195a3c754 - main - vuxml: Document vim code execution"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 06 Mar 2025 01:10:37 UTC
On Mon, Mar 3, 2025 at 7:53 AM Fernando Apesteguía <
fernando.apesteguia@gmail.com> wrote:
>
>
> On Mon, Mar 3, 2025 at 1:43 PM Dan Langille <dan@langille.org> wrote:
>
>> Hello,
>>
>> FreshPorts barfed on this one, and didn't give me much useful information.
>>
>> Sorry I can't follow up on this to fix it. I must work on something else
>> right now.
>>
>
> Fixed by ports-secteam@ in
> https://cgit.freebsd.org/ports/commit/?id=62f369ac25fa39d1c5aae16242ea508f36f23702
>
> Thanks for the heads up!
>
Thank you for fixing this!
# Adam
>
>>
>> However, it may be a mismatched tag:
>>
>> [12:30 dvl-ingress01 dvl /usr/local/libexec/freshports] % echo "perl ./
>> process_vuxml.pl
>> --filename=/jails/freshports/usr/ports/security/vuxml/vuln.xml
>> --showreasons" | sudo su -fm freshports
>> process_vuxml.pl starts
>> reasons will be displayed
>> (there is usually a delay before further output)
>>
>> mismatched tag at line 34, column 3, byte 1421
>> error in processing external entity reference at line 84, column 0, byte
>> 3678 at /usr/local/lib/perl5/site_perl/mach/5.38/XML/Parser.pm line 187.
>>
>> `make validate` seems to confirm that:
>>
>> [12:42 mydev dvl /usr/ports/security/vuxml] % sudo make validate
>> xmllint -noent /usr/ports/security/vuxml/vuln.xml >
>> /usr/ports/security/vuxml/vuln-flat.xml
>> /usr/ports/security/vuxml/vuln/2025.xml:34: parser error : Opening and
>> ending tag mismatch: p line 31 and blockquote
>> </blockquote>
>> ^
>> /usr/ports/security/vuxml/vuln/2025.xml:35: parser error : Opening and
>> ending tag mismatch: blockquote line 17 and body
>> </body>
>> ^
>> /usr/ports/security/vuxml/vuln/2025.xml:36: parser error : Opening and
>> ending tag mismatch: body line 15 and description
>> </description>
>> ^
>> /usr/ports/security/vuxml/vuln/2025.xml:44: parser error : Opening and
>> ending tag mismatch: description line 14 and vuln
>> </vuln>
>> ^
>> /usr/ports/security/vuxml/vuln/2025.xml:1953: parser error : Premature
>> end of data in tag vuln line 1
>>
>> ^
>> /usr/ports/security/vuxml/vuln/2025.xml:1953: parser error : chunk is not
>> well balanced
>>
>> ^
>> /usr/ports/security/vuxml/vuln.xml:84: parser error : Entity 'vuln-2025'
>> failed to parse
>> &vuln-2025;
>> ^
>> *** Error code 1
>>
>> Stop.
>> make: stopped in /usr/ports/security/vuxml
>>
>>
>> On Sun, Mar 2, 2025, at 11:45 PM, Adam Weinberger wrote:
>> > The branch main has been updated by adamw:
>> >
>> > URL:
>> >
>> https://cgit.FreeBSD.org/ports/commit/?id=003195a3c754204bc61aaa39fea85fd62004b014
>> >
>> > commit 003195a3c754204bc61aaa39fea85fd62004b014
>> > Author: Adam Weinberger <adamw@FreeBSD.org>
>> > AuthorDate: 2025-03-03 04:45:48 +0000
>> > Commit: Adam Weinberger <adamw@FreeBSD.org>
>> > CommitDate: 2025-03-03 04:45:48 +0000
>> >
>> > vuxml: Document vim code execution
>> > ---
>> > security/vuxml/vuln/2025.xml | 45
>> ++++++++++++++++++++++++++++++++++++++++++++
>> > 1 file changed, 45 insertions(+)
>> >
>> > diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
>> > index 15bf6827ba4e..b5008bde1e8a 100644
>> > --- a/security/vuxml/vuln/2025.xml
>> > +++ b/security/vuxml/vuln/2025.xml
>> > @@ -1,3 +1,48 @@
>> > + <vuln vid="398d1ec1-f7e6-11ef-bb15-002590af0794">
>> > + <topic>vim -- Potential code execution</topic>
>> > + <affects>
>> > + <package>
>> > + <name>vim</name>
>> > + <name>vim-gtk2</name>
>> > + <name>vim-gtk3</name>
>> > + <name>vim-motif</name>
>> > + <name>vim-x11</name>
>> > + <name>vim-tiny</name>
>> > + <range><lt>9.1.1164</lt></range>
>> > + </package>
>> > + </affects>
>> > + <description>
>> > + <body xmlns="http://www.w3.org/1999/xhtml">
>> > + <p>vim reports:</p>
>> > + <blockquote
>> > cite="
>> https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3">
>> > + <h1>Summary</h1>
>> > + <p>Potential code execution with tar.vim and special crafted
>> tar
>> > files</p>
>> > + <h1>Description</h1>
>> > + <p>Vim is distributed with the tar.vim plugin, that allows easy
>> > + editing and viewing of (compressed or uncompressed) tar
>> files.</p>
>> > + <p>Since commit 129a844 (Nov 11, 2024 runtime(tar): Update
>> tar.vim
>> > to
>> > + support permissions), the tar.vim plugin uses the ":read " ex
>> > command
>> > + line to append below the cursor position, however the is not
>> > sanitized
>> > + and is taken literaly from the tar archive. This allows to
>> execute
>> > + shell commands via special crafted tar archives. Whether this
>> really
>> > + happens, depends on the shell being used ('shell' option, which
>> is
>> > set
>> > + using $SHELL).</p>
>> > + <h1>Impact</h1>
>> > + <p>Impact is high but a user must be convinced to edit such a
>> file
>> > + using Vim which will reveal the filename, so a careful user may
>> > suspect
>> > + some strange things going on.
>> > + </blockquote>
>> > + </body>
>> > + </description>
>> > + <references>
>> > +
>> > <url>https://github.com/vim/vim/security/advisories/GHSA-wfmf-8626-q3r3
>> </url>
>> > + </references>
>> > + <dates>
>> > + <discovery>2025-03-02</discovery>
>> > + <entry>2025-03-02</entry>
>> > + </dates>
>> > + </vuln>
>> > +
>> > <vuln vid="8fb9101e-f58a-11ef-b4e4-2cf05da270f3">
>> > <topic>Gitlab -- Vulnerabilities</topic>
>> > <affects>
>>
>> --
>> Dan Langille
>> dan@langille.org
>>
>
--
Adam Weinberger
adamw@adamw.org // adamw@FreeBSD.org
https://www.adamw.org