Rapid7 VulnDB

RHSA-2008:0617: vim security update

Back to Search

RHSA-2008:0617: vim security update

Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
09/18/2008
Created
07/25/2018
Added
02/22/2009
Modified
07/04/2017

Description

Vim (Visual editor IMproved) is an updated and improved version of the vieditor.Several input sanitization flaws were found in Vim's keyword and taghandling. If Vim looked up a document's maliciously crafted tag or keyword,it was possible to execute arbitrary code as the user running Vim.(CVE-2008-4101)A heap-based overflow flaw was discovered in Vim's expansion of file namepatterns with shell wildcards. An attacker could create a specially-craftedfile or directory name that, when opened by Vim, caused the application tocrash or, possibly, execute arbitrary code. (CVE-2008-3432)Several input sanitization flaws were found in various Vim systemfunctions. If a user opened a specially crafted file, it was possible toexecute arbitrary code as the user running Vim. (CVE-2008-2712)Ulf Härnhammar, of Secunia Research, discovered a format string flaw inVim's help tag processor. If a user was tricked into executing the"helptags" command on malicious data, arbitrary code could be executed withthe permissions of the user running Vim. (CVE-2007-2953)All Vim users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues.

Solution(s)

  • redhat-upgrade-vim-common
  • redhat-upgrade-vim-enhanced
  • redhat-upgrade-vim-minimal
  • redhat-upgrade-vim-x11

References

  • redhat-upgrade-vim-common
  • redhat-upgrade-vim-enhanced
  • redhat-upgrade-vim-minimal
  • redhat-upgrade-vim-x11

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;