ports/129300: [vuxml] editors/vim: document CVE-2008-3432
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sun Nov 30 16:40:02 UTC 2008
>Number: 129300
>Category: ports
>Synopsis: [vuxml] editors/vim: document CVE-2008-3432
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Nov 30 16:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.0-STABLE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.0-STABLE amd64
>Description:
There is CVE-2008-3432 that addresses the heap-based buffer overflow in
vim 6.2 and 6.3. While these are rather dated, someone might still be
using them.
>How-To-Repeat:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432
http://www.openwall.com/lists/oss-security/2008/07/15/4
>Fix:
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="">
<topic>vim -- heap-based overflow while parsing shell metacharacters</topic>
<affects>
<package>
<name>vim</name>
<name>vim-lite</name>
<name>vim-gtk2</name>
<name>vim-gnome</name>
<range><ge>6.2.521</ge><lt>6.3.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Description for CVE-2008-3432 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432">
<p>Heap-based buffer overflow in the mch_expand_wildcards
function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted
attackers to execute arbitrary code via shell metacharacters
in filenames, as demonstrated by the netrw.v3 test case.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3432</cvename>
<url>http://www.openwall.com/lists/oss-security/2008/07/15/4</url>
</references>
<dates>
<discovery>2008-07-31</discovery>
<entry>today</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list