Ubuntu Security Notice USN-712-1
27th January, 2009
vim vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 8.10
- Ubuntu 8.04 LTS
- Ubuntu 7.10
- Ubuntu 6.06 LTS
Software description
- vim
Details
Jan Minar discovered that Vim did not properly sanitize inputs before invoking
the execute or system functions inside Vim scripts. If a user were tricked
into running Vim scripts with a specially crafted input, an attacker could
execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-2712)
Ben Schmidt discovered that Vim did not properly escape characters when
performing keyword or tag lookups. If a user were tricked into running specially
crafted commands, an attacker could execute arbitrary code with the privileges
of the user invoking the program. (CVE-2008-4101)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 8.10:
- vim-runtime 1:7.1.314-3ubuntu3.1
- vim 1:7.1.314-3ubuntu3.1
- Ubuntu 8.04 LTS:
- vim-runtime 1:7.1-138+1ubuntu3.1
- vim 1:7.1-138+1ubuntu3.1
- Ubuntu 7.10:
- vim-runtime 1:7.1-056+2ubuntu2.1
- vim 1:7.1-056+2ubuntu2.1
- Ubuntu 6.06 LTS:
- vim-runtime 1:6.4-006+2ubuntu6.2
- vim 1:6.4-006+2ubuntu6.2
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the
necessary changes.