Chris Drake wrote: > Hi, > > It's possible to craft a malformed .swp file that causes vim to crash > in a way that completely locks up a terminal. > > Here's what was on my screen when it occurred: > > > E325: ATTENTION > Found a swap file by the name ".Accounting.pm.swp" > owned by: root dated: Sat Nov 3 04:36:39 2007 > file name: /usr/local/bin/Accounting.pm > modified: no > user name: root host name: *** > process ID: 5936 > While opening file "Accounting.pm" > dated: Sat Nov 3 03:57:44 2007 > > (1) Another program may be editing the same file. > If this is the case, be careful not to end up with two > different instances of the same file when making changes. > Quit, or continue with caution. > > (2) An edit session for this file crashed. > If this is the case, use ":recover" or "vim -r Accounting.pm" > to recover the changes (see ":help recovery"). > If you did this already, delete the swap file ".Accounting.pm.swp" > to avoid this message. > > Swap file ".Accounting.pm.swp" already exists! > [O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort, (D)elete it: > > "Accounting.pm" 2059L, 113828C > Using swap file ".Accounting.pm.swp" > Original file "/usr/local/bin/src/Accounting/lib/Accounting.pm" > *** glibc detected *** double free or corruption (!prev): 0x0926fd60 *** > > Recovery completed. You should check if everything is OK. > (You might want to write out this file under another name > and run diff with the original file to check for changes) > Delete the .swp file afterwards. > > Vim: Caught deadly signal ABRT > > (at this point - the terminal is completely locked up - ^C etc all > have no effect. kill also has no effect. kill-9 from another session > ended it OK) > > ------------------------ > Here's some version info > ------------------------ > > VIM - Vi IMproved > > version 6.3.82 > by Bram Moolenaar et al. > Modified by <[EMAIL PROTECTED]> > Vim is open source and freely distributable > > Help poor children in Uganda! > type :help iccf<Enter> for information > > type :q<Enter> to exit > type :help<Enter> or <F1> for on-line help > type :help version6<Enter> for version info > > ------------------------ > Here's some version info > ------------------------ > > I think vim is used for lots of things, including at least editing > crontab files (after copy stuff to /tmp) - thus - a malicious local > user could place crafted .swp files in /tmp (or elsewhere that they > might have access to) to "crash" (DoS) anyone elses future VIM > sessions. Depending on the error - it might be possible to exploit > this to run arbitrary code elevated to the vim users permissions (the > error reports as *either* "double free" (hard to exploit) or > "corruption" (probably a buffer overflow - easy to exploit)) > > Kind Regards, > Chris Drake
I seem to semember that something like that was fixed long ago, but my memory is hazy. Could you reproduce it with some "decently recent" version? You might want to peruse the lists of patches: http://ftp.vim.org/pub/vim/patches/6.3/README http://ftp.vim.org/pub/vim/patches/6.4/README http://ftp.vim.org/pub/vim/patches/7.0/README http://ftp.vim.org/pub/vim/patches/7.1/README FYI, 6.3.082 dates from 5 June 2005. Lots of water went under the bridge since then. The current version is 7.1.147. Best regards, Tony. -- Impartial, adj.: Unable to perceive any promise of personal advantage from espousing either side of a controversy or adopting either of two conflicting opinions. -- Ambrose Bierce, "The Devil's Dictionary" --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
