FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-3076

This CVE name corresponds to:

Entered Topic
2009-01-02 vim -- multiple vulnerabilities in the netrw module

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-3076 at cve.mitre.org

Details

Type Candidate
Name CVE-2008-3076
Phase Assigned(20080708)

Description

The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.

References

Source Reference
BUGTRAQ 20080701 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
MLIST [oss-security] 20080707 Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10
MLIST [oss-security] 20080707 Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10
MLIST [oss-security] 20080708 Re: More arbitrary code executions in Netrw version 125, Vim 7.2a.10
MLIST [oss-security] 20081016 CVE request - Vim netrw.plugin
MLIST [oss-security] 20081020 CVE request (vim)
MISC http://www.rdancer.org/vulnerablevim-netrw.html
MISC http://www.rdancer.org/vulnerablevim-netrw.v2.html
CONFIRM http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506919
CONFIRM http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0324
MANDRIVA MDVSA-2008:236
REDHAT RHSA-2008:0580
SUSE SUSE-SR:2009:007
BID 30115
SECUNIA 34418
XF netrw-multiple-code-execution(43624)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.