vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.

Updated vim packages that fix a security issue are now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

VIM (VIsual editor iMproved) is a version of the vi editor.

A bug was found in the way VIM processes modelines. If a user with modelines enabled opens a text file with a carefully crafted modeline, arbitrary commands may be executed as the user running VIM. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2368 to this issue.

Users of VIM are advised to upgrade to these updated packages, which resolve this issue.

A vulnerability was discovered in the way that vim processed modelines. If a user with modelines enabled opened a textfile with a specially crafted modeline, arbitrary commands could be executed.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2005:745 advisory.

    VIM (VIsual editor iMproved) is a version of the vi editor.

    A bug was found in the way VIM processes modelines. If a user with     modelines enabled opens a text file with a carefully crafted modeline,     arbitrary commands may be executed as the user running VIM. The Common     Vulnerabilities and Exposures project has assigned the name CAN-2005-2368     to this issue.

    Users of VIM are advised to upgrade to these updated packages, which     resolve this issue.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

- CVE-2005-2368

This update is supposed to fix GTK2 dependency problems of the vim-6.3.086-0.fc3 package.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Georgi Guninski discovered a way to construct Vim modelines that execute arbitrary shell commands. The vulnerability can be exploited by including shell commands in modelines that call the glob() or expand() functions. An attacker could trick an user to read or edit a trojaned file with modelines enabled, after which the attacker is able to execute arbitrary commands with the privileges of the user.

Note: It is generally recommended that VIM users use set nomodeline in ~/.vimrc to avoid the possibility of trojaned text files.

ID	Name	Product	Family	Severity
21959	CentOS 3 / 4 : vim (CESA-2005:745)	Nessus	CentOS Local Security Checks	high
19904	Mandrake Linux Security Advisory : vim (MDKSA-2005:148)	Nessus	Mandriva Local Security Checks	high
19489	RHEL 4 : vim (RHSA-2005:745)	Nessus	Red Hat Local Security Checks	critical
19436	Fedora Core 3 : vim-6.3.086-0.fc3.1 (2005-741)	Nessus	Fedora Local Security Checks	high
19348	FreeBSD : vim -- vulnerabilities in modeline handling: glob, expand (81f127a8-0038-11da-86bc-000e0c2e438a)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2005-2368

critical

Tenable Plugins

high

high

critical

high

high