Hi,
It's possible to craft a malformed .swp file that causes vim to crash
in a way that completely locks up a terminal.
Here's what was on my screen when it occurred:
E325: ATTENTION
Found a swap file by the name ".Accounting.pm.swp"
owned by: root dated: Sat Nov 3 04:36:39 2007
file name: /usr/local/bin/Accounting.pm
modified: no
user name: root host name: ***
process ID: 5936
While opening file "Accounting.pm"
dated: Sat Nov 3 03:57:44 2007
(1) Another program may be editing the same file.
If this is the case, be careful not to end up with two
different instances of the same file when making changes.
Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use ":recover" or "vim -r Accounting.pm"
to recover the changes (see ":help recovery").
If you did this already, delete the swap file ".Accounting.pm.swp"
to avoid this message.
Swap file ".Accounting.pm.swp" already exists!
[O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort, (D)elete it:
"Accounting.pm" 2059L, 113828C
Using swap file ".Accounting.pm.swp"
Original file "/usr/local/bin/src/Accounting/lib/Accounting.pm"
*** glibc detected *** double free or corruption (!prev): 0x0926fd60 ***
Recovery completed. You should check if everything is OK.
(You might want to write out this file under another name
and run diff with the original file to check for changes)
Delete the .swp file afterwards.
Vim: Caught deadly signal ABRT
(at this point - the terminal is completely locked up - ^C etc all
have no effect. kill also has no effect. kill-9 from another session
ended it OK)
------------------------
Here's some version info
------------------------
VIM - Vi IMproved
version 6.3.82
by Bram Moolenaar et al.
Modified by <[EMAIL PROTECTED]>
Vim is open source and freely distributable
Help poor children in Uganda!
type :help iccf<Enter> for information
type :q<Enter> to exit
type :help<Enter> or <F1> for on-line help
type :help version6<Enter> for version info
------------------------
Here's some version info
------------------------
I think vim is used for lots of things, including at least editing
crontab files (after copy stuff to /tmp) - thus - a malicious local
user could place crafted .swp files in /tmp (or elsewhere that they
might have access to) to "crash" (DoS) anyone elses future VIM
sessions. Depending on the error - it might be possible to exploit
this to run arbitrary code elevated to the vim users permissions (the
error reports as *either* "double free" (hard to exploit) or
"corruption" (probably a buffer overflow - easy to exploit))
Kind Regards,
Chris Drake
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
