Your message dated Wed, 19 Jan 2005 02:17:20 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#289560: fixed in vim 1:6.3-058+1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 18 Jan 2005 21:48:15 +0000 >From [EMAIL PROTECTED] Tue Jan 18 13:48:14 2005 Return-path: <[EMAIL PROTECTED]> Received: from kitenet.net [64.62.161.42] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Cr1Cw-0008RO-00; Tue, 18 Jan 2005 13:48:14 -0800 Received: from dragon.kitenet.net (unknown [66.168.94.144]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id 1837017E9E for <[EMAIL PROTECTED]>; Tue, 18 Jan 2005 21:48:13 +0000 (GMT) Received: by dragon.kitenet.net (Postfix, from userid 1000) id 4F33C6F23C; Tue, 18 Jan 2005 16:50:17 -0500 (EST) Date: Tue, 18 Jan 2005 16:50:17 -0500 From: Joey Hess <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: vim: temporary file vulnerabilities (CAN-2005-0069) Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --XF85m9dhOBO43t/C Content-Type: multipart/mixed; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: vim Version: 1:6.3-054+1 Severity: grave Tags: patch security As described in the Ubuntu advisory below, vim's tcltags and vimspell scripts use temp files insecurely. I've attached a patch I extraced from the Ubuntu diff. ----- Forwarded message from Martin Pitt <[EMAIL PROTECTED]> ----- =46rom: Martin Pitt <[EMAIL PROTECTED]> Date: Tue, 18 Jan 2005 17:56:58 +0100 To: [EMAIL PROTECTED] Cc: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com Subject: [USN-61-1] vim vulnerabilities User-Agent: Mutt/1.5.6+20040907i =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D Ubuntu Security Notice USN-61-1 January 18, 2005 vim vulnerabilities CAN-2005-0069 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: kvim vim vim-gnome vim-gtk vim-lesstif vim-perl vim-python vim-tcl The problem can be corrected by upgrading the affected package to version 1:6.3-025+1ubuntu2.2. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Javier Fern=E1ndez-Sanguino Pe=F1a noticed that the auxillary scripts "tcltags" and "vimspell.sh" created temporary files in an insecure manner. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the script (either by calling it directly or by execution through vim). Source archives: http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.= 2.diff.gz Size/MD5: 425421 ee7e4653fb70fd45329bf5773e610ad6 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.= 2.dsc Size/MD5: 1122 9bd9428dd29c8aa562f4b97566b9a05a http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3.orig.tar.gz Size/MD5: 5624622 de1c964ceedbc13538da87d2d73fd117 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.3-025+1u= buntu2.2_all.deb Size/MD5: 3421084 8dc7b200376add6ccb2896e2f6e80e0d http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-doc_6.3-025+1ubun= tu2.2_all.deb Size/MD5: 1646686 2c2716a1dad40612baaaf28ebc0de3a6 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu= ntu2.2_amd64.deb Size/MD5: 2586 1e0b1528b70e54e2bcff3a02acaacbc5 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub= untu2.2_amd64.deb Size/MD5: 805722 51093d7843d5fb20ece35d2f53eadb0d http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1= ubuntu2.2_amd64.deb Size/MD5: 802452 d4fd55aca188063434361f5674805dec http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0= 25+1ubuntu2.2_amd64.deb Size/MD5: 784100 1d477c5f09466e8942d0f7da3c221afd http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+= 1ubuntu2.2_amd64.deb Size/MD5: 809126 646c31a0d612b398943b4c2a42c9b6f9 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02= 5+1ubuntu2.2_amd64.deb Size/MD5: 802470 ede70bb09d39b7571fae1192900b0385 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1= ubuntu2.2_amd64.deb Size/MD5: 801160 aa65781693eca8d06230bc5f8ee29463 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.= 2_amd64.deb Size/MD5: 765120 b5425b1b087b9528e7e4a9ef25493299 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu= ntu2.2_i386.deb Size/MD5: 2590 edbd9dc0be6acaea44ee02e09c6e5c3e http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub= untu2.2_i386.deb Size/MD5: 702656 7a12cb5196a1257eae527f5b231d763d http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1= ubuntu2.2_i386.deb Size/MD5: 700006 486ea88f3d0a2c4eb1804c09bca8418b http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0= 25+1ubuntu2.2_i386.deb Size/MD5: 682462 61c39ffed3017081974a3af522b61959 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+= 1ubuntu2.2_i386.deb Size/MD5: 707674 05989ac6496d7a1db524b68bd1acd313 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02= 5+1ubuntu2.2_i386.deb Size/MD5: 700022 09e7ebbe082c99520d11fa33277cc212 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1= ubuntu2.2_i386.deb Size/MD5: 699634 673329baa7cd9aca70cca9f87943a628 http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.= 2_i386.deb Size/MD5: 680130 305b1d85bbdb52dd9869a21664049be3 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/v/vim/kvim_6.3-025+1ubu= ntu2.2_powerpc.deb Size/MD5: 2586 f56083ef36048c9b94c41a37c35633dc http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-gnome_6.3-025+1ub= untu2.2_powerpc.deb Size/MD5: 787984 e38f3d9674200796e39438ece635ebf7 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-gtk_6.3-025+1= ubuntu2.2_powerpc.deb Size/MD5: 785338 bdb6dd908d78a1172a431b4dbbea97f5 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-lesstif_6.3-0= 25+1ubuntu2.2_powerpc.deb Size/MD5: 769822 b4dc7592d9a49fa63488ff35b7f9b97d http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-perl_6.3-025+= 1ubuntu2.2_powerpc.deb Size/MD5: 792362 76ae3cbe76e78757cd82b08b8ebe2aa8 http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-python_6.3-02= 5+1ubuntu2.2_powerpc.deb Size/MD5: 785354 c4e418a1fba8015c2416b662a77a257f http://security.ubuntu.com/ubuntu/pool/universe/v/vim/vim-tcl_6.3-025+1= ubuntu2.2_powerpc.deb Size/MD5: 784868 c9f9251376c1cb48552fd8012acbec7c http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim_6.3-025+1ubuntu2.= 2_powerpc.deb Size/MD5: 754620 c69a3dc15fddab0bad774759dd3ea6ae ----- End forwarded message ----- --=20 see shy jo --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="vim.tmpfile" Content-Transfer-Encoding: quoted-printable diff -urN vim63/runtime/tools/tcltags vim63.new/runtime/tools/tcltags --- vim63/runtime/tools/tcltags 1999-08-01 14:01:46.000000000 +0200 +++ vim63.new/runtime/tools/tcltags 2005-01-18 16:25:24.452393560 +0100 @@ -8,7 +8,8 @@ program_version=3D"0.3" program_author=3D"Darren Hiebert" author_email=3D"[EMAIL PROTECTED]" -tmp_tagfile=3D/tmp/${program_name}.$$ +tmp_tagfile=3D`mktemp -t tcltagXXXXXX` || exit 1 +trap "rm -rf $tmp_tagfile" 0 1 2 3 9 11 13 15 =20 usage=3D"\ Usage: $program_name [-au] [-{f|o} tagfile] [--format=3Dn] file(s) diff -urN vim63/runtime/tools/vimspell.sh vim63.new/runtime/tools/vimspell.= sh --- vim63/runtime/tools/vimspell.sh 1999-08-01 14:01:46.000000000 +0200 +++ vim63.new/runtime/tools/vimspell.sh 2005-01-18 16:20:40.774519152 +0100 @@ -13,9 +13,7 @@ # March 1999 =20 INFILE=3D$1 -OUTFILE=3D/tmp/vimspell.$$ -# if you have "tempfile", use the following line -#OUTFILE=3D`tempfile` +OUTFILE=3D`mktemp -t vimspellXXXXXX` || exit 1 =20 # # local spellings --CE+1k2dSO48ffgeK-- --XF85m9dhOBO43t/C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB7YSXd8HHehbQuO8RAkcwAJwKqEvPHJIcA35dIGiAPHBzzjEGuwCfYPZ+ U6tUcStJTCtIfROCYYq/Jwg= =PeGK -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C-- --------------------------------------- Received: (at 289560-close) by bugs.debian.org; 19 Jan 2005 07:25:31 +0000 >From [EMAIL PROTECTED] Tue Jan 18 23:25:31 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CrADb-0000gs-00; Tue, 18 Jan 2005 23:25:31 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1CrA5g-0005d8-00; Wed, 19 Jan 2005 02:17:20 -0500 From: Norbert Tretkowski <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#289560: fixed in vim 1:6.3-058+1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Wed, 19 Jan 2005 02:17:20 -0500 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: vim Source-Version: 1:6.3-058+1 We believe that the bug you reported is fixed in the latest version of vim, which is due to be installed in the Debian FTP archive: kvim-perl_6.3-058+1_alpha.deb to pool/main/v/vim/kvim-perl_6.3-058+1_alpha.deb kvim-python_6.3-058+1_alpha.deb to pool/main/v/vim/kvim-python_6.3-058+1_alpha.deb kvim-ruby_6.3-058+1_alpha.deb to pool/main/v/vim/kvim-ruby_6.3-058+1_alpha.deb kvim-tcl_6.3-058+1_alpha.deb to pool/main/v/vim/kvim-tcl_6.3-058+1_alpha.deb kvim_6.3-058+1_alpha.deb to pool/main/v/vim/kvim_6.3-058+1_alpha.deb vim-common_6.3-058+1_all.deb to pool/main/v/vim/vim-common_6.3-058+1_all.deb vim-doc_6.3-058+1_all.deb to pool/main/v/vim/vim-doc_6.3-058+1_all.deb vim-gnome_6.3-058+1_alpha.deb to pool/main/v/vim/vim-gnome_6.3-058+1_alpha.deb vim-gtk_6.3-058+1_alpha.deb to pool/main/v/vim/vim-gtk_6.3-058+1_alpha.deb vim-lesstif_6.3-058+1_alpha.deb to pool/main/v/vim/vim-lesstif_6.3-058+1_alpha.deb vim-perl_6.3-058+1_alpha.deb to pool/main/v/vim/vim-perl_6.3-058+1_alpha.deb vim-python_6.3-058+1_alpha.deb to pool/main/v/vim/vim-python_6.3-058+1_alpha.deb vim-ruby_6.3-058+1_alpha.deb to pool/main/v/vim/vim-ruby_6.3-058+1_alpha.deb vim-tcl_6.3-058+1_alpha.deb to pool/main/v/vim/vim-tcl_6.3-058+1_alpha.deb vim_6.3-058+1.diff.gz to pool/main/v/vim/vim_6.3-058+1.diff.gz vim_6.3-058+1.dsc to pool/main/v/vim/vim_6.3-058+1.dsc vim_6.3-058+1_alpha.deb to pool/main/v/vim/vim_6.3-058+1_alpha.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Norbert Tretkowski <[EMAIL PROTECTED]> (supplier of updated vim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 18 Jan 2005 20:12:25 +0100 Source: vim Binary: vim-lesstif vim-common vim-doc vim-gnome kvim-ruby vim vim-gtk kvim-perl vim-perl kvim-tcl vim-tiny vim-ruby vim-python vim-tcl kvim-python kvim Architecture: source alpha all Version: 1:6.3-058+1 Distribution: unstable Urgency: high Maintainer: Norbert Tretkowski <[EMAIL PROTECTED]> Changed-By: Norbert Tretkowski <[EMAIL PROTECTED]> Description: kvim - Vi IMproved - KDE 3.x version kvim-perl - Vi IMproved - KDE 3.x version with Perl scripting support kvim-python - Vi IMproved - KDE 3.x version with Python scripting support kvim-ruby - Vi IMproved - KDE 3.x version with Ruby scripting support kvim-tcl - Vi IMproved - KDE 3.x version with TCL scripting support vim - Vi IMproved - enhanced vi editor vim-common - Vi IMproved - Common files vim-doc - Vi IMproved - Documentation files vim-gnome - Vi IMproved - GNOME2 Version vim-gtk - Vi IMproved - GTK2 Version vim-lesstif - Vi IMproved - LessTif Version vim-perl - Vi IMproved, with perl scripting support vim-python - Vi IMproved, with python scripting support vim-ruby - Vi IMproved, with ruby scripting support vim-tcl - Vi IMproved, with tcl scripting support Closes: 289560 Changes: vim (1:6.3-058+1) unstable; urgency=high . * new upstream patches (055 to 058), see README.gz for details * added a new patch (stolen from Ubuntu) which modifies vimspell.sh and tcltags.sh so they use mktemp instead of insecure $$ construction to create temporary files (CAN-2005-0069) (closes: #289560) Files: 40905ece508f1000b53e1cb0b1a0b679 1114 editors optional vim_6.3-058+1.dsc 2a764ada0d4dd2892216d998ee424257 459960 editors optional vim_6.3-058+1.diff.gz 3be4f39ae87c85af51774b43842f852a 1599902 editors optional vim-doc_6.3-058+1_all.deb aa8f4256bcea255a870d42f41095f54f 3422002 editors extra vim-common_6.3-058+1_all.deb f98fcfb0ac9f26668d2b9c50c8b8b431 899984 editors optional vim_6.3-058+1_alpha.deb 57c868841b4003df54d6f987c4bbdac4 1071112 editors extra kvim-perl_6.3-058+1_alpha.deb 05337f051d46820de859772559c78139 958048 editors extra vim-perl_6.3-058+1_alpha.deb de1bd16ca6ec536da4957e12101a2970 1065922 editors extra kvim-python_6.3-058+1_alpha.deb 104772252250acd9e35eb16e1b46e395 952474 editors extra vim-python_6.3-058+1_alpha.deb f035d0ca05939a17677acfa333e48fb4 1059382 editors extra kvim-ruby_6.3-058+1_alpha.deb f4d69d869fda4e6fd655b9d4229fd792 947204 editors extra vim-ruby_6.3-058+1_alpha.deb 7ab3e529cbd43991d48c8dda291116a8 1023598 editors extra kvim-tcl_6.3-058+1_alpha.deb 5dc0fafa0034556186a396c14a99274a 952276 editors extra vim-tcl_6.3-058+1_alpha.deb bc9d36d4e37c120fa30b37ef5f6a66ba 941254 editors extra vim-gtk_6.3-058+1_alpha.deb f32726f0b47e5c361b2aa21f16f2e118 881260 editors extra vim-lesstif_6.3-058+1_alpha.deb d0c6f0b0576fc1861f5f8cc92e63bd19 944624 editors extra vim-gnome_6.3-058+1_alpha.deb c6c1d71c24df7a1aeea026905a3e09d5 1013734 editors extra kvim_6.3-058+1_alpha.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB7gZvr/RnCw96jQERAhWYAJ9UkUmPjUQDlvNVCfJSKDP03U7JxQCgoqhG mJk6cJVq2LlVKW2RgSZ/NrM= =djsk -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]