BID:25095

Vim HelpTags Command Remote Format String Vulnerability

Info

Vim HelpTags Command Remote Format String Vulnerability

Bugtraq ID:	25095
Class:	Input Validation Error
CVE:	CVE-2007-2953
Remote:	Yes
Local:	No
Published:	Jul 27 2007 12:00AM
Updated:	Mar 19 2015 09:24AM
Credit:	Ulf Harnhammar of Secunia Research discovered this issue.
Vulnerable:	VMWare ESX Server 3.0.3 VMWare ESX Server 3.0.2 VMWare ESX Server 2.5.5 VMWare ESX Server 3.5 VIM Development Group VIM 7.1 VIM Development Group VIM 6.4 Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Trustix Secure Linux 3.0.5 Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 Trustix Operating System Enterprise Server 2.0 SuSE SUSE Linux Enterprise Server 9 SP3 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Office Server S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Openexchange Server S.u.S.E. Linux Office Server S.u.S.E. Linux Enterprise Server for S/390 9.0 S.u.S.E. Linux Enterprise Server for S/390 S.u.S.E. Linux Desktop 1.0 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux Desktop version 4 RedHat Desktop 3.0 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux 5 Server Mandriva Linux Mandrake 2009.0 x86_64 Mandriva Linux Mandrake 2009.0 Mandriva Linux Mandrake 2008.1 x86_64 Mandriva Linux Mandrake 2008.1 Mandriva Linux Mandrake 2008.0 x86_64 Mandriva Linux Mandrake 2008.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Foresight Linux Foresight Linux 1.1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Avaya Voice Portal 4.1 Avaya Voice Portal 4.0 Avaya Voice Portal 3.0 Avaya Proactive Contact 4.0 Avaya Proactive Contact 3.0 Avaya Proactive Contact 0 Avaya Messaging Storage Server MM3.0 Avaya Messaging Storage Server 4.0 Avaya Messaging Storage Server 3.1 Avaya Messaging Storage Server 2.0 Avaya Messaging Storage Server 1.0 Avaya Messaging Storage Server Avaya Message Networking MN 3.1 Avaya Message Networking 3.1 Avaya Message Networking Avaya Meeting Exchange 5.1 Avaya Meeting Exchange 5.0 Avaya Intuity AUDIX LX 2.0 Avaya Communication Manager 4.0.3 SP1 Avaya Communication Manager 3.1.4 SP2 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Communication Manager 2.0.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 + Avaya Communication Manager Server S8700 Avaya Communication Manager 2.0 Avaya Communication Manager 1.3.1 + Avaya Communication Manager Server DEFINITY Server R10 + Avaya Communication Manager Server DEFINITY Server R10 + Avaya Communication Manager Server DEFINITY Server R11 + Avaya Communication Manager Server DEFINITY Server R9 + Avaya Communication Manager Server DEFINITY Server R9 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 + Avaya Communication Manager Server S8700 Avaya Communication Manager 1.1 Avaya Communication Manager 5.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Communication Manager 5.0 SP3 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Communication Manager 5.0 Avaya Communication Manager 4.0 Avaya Communication Manager 3.1 Avaya Communication Manager 3.0 Avaya Communication Manager 2.2 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Communication Manager 2.1 Avaya Aura SIP Enablement Services 3.1.1 Avaya Aura SIP Enablement Services 5.0 Avaya Aura SIP Enablement Services 3.1 Avaya Aura SIP Enablement Services 3.0 Avaya Aura Application Enablement Services 4.2.1 Avaya Aura Application Enablement Services 4.0.1 Avaya Aura Application Enablement Services 3.1.6 Avaya Aura Application Enablement Services 3.1.5 Avaya Aura Application Enablement Services 3.1.4 Avaya Aura Application Enablement Services 3.1.3 Avaya Aura Application Enablement Services 4.2 Avaya Aura Application Enablement Services 4.1 Avaya Aura Application Enablement Services 4.0 Avaya Aura Application Enablement Services 3.1 Avaya Aura Application Enablement Services 3.0

Not Vulnerable:

Discussion

Vim HelpTags Command Remote Format String Vulnerability

Vim is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.

A remote attacker may execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts may cause denial-of-service conditions.

Vim 6.4 and 7.1 are vulnerable; other versions may also be affected.

Exploit / POC

Vim HelpTags Command Remote Format String Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Vim HelpTags Command Remote Format String Vulnerability

Solution:
The vendor has released patch 7.1.039 to address this issue. Please see the references for more information.

Ubuntu Ubuntu Linux 6.10 powerpc

Ubuntu vim-common_7.0-035+1ubuntu5.2_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.0-035+1 ubuntu5.2_powerpc.deb

Mandriva Linux Mandrake 2008.0

Mandriva vim-common-7.2.065-9.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-common-7.2.065-9.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.2mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 7.04 i386

Ubuntu vim-common_7.0-164+1ubuntu7.2_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.0-164+1 ubuntu7.2_i386.deb

Mandriva Linux Mandrake 2009.0 x86_64

Mandriva vim-common-7.2.065-9.2mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-common-7.2.065-9.3mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.2mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.3mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.2mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.3mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.2mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.3mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva Linux Mandrake 2008.1 x86_64

Mandriva vim-common-7.2.065-9.2mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-common-7.2.065-9.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.2mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.2mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.2mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.3mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva Linux Mandrake 2008.1

Mandriva vim-common-7.2.065-9.2mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-common-7.2.065-9.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.2mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.2mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.2mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.3mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 6.10 i386

Ubuntu vim-common_7.0-035+1ubuntu5.2_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.0-035+1 ubuntu5.2_i386.deb

Ubuntu Ubuntu Linux 7.04 amd64

Ubuntu vim-common_7.0-164+1ubuntu7.2_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.0-164+1 ubuntu7.2_amd64.deb

Ubuntu Ubuntu Linux 6.06 LTS i386

Ubuntu vim-common_6.4-006+2ubuntu6.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_6.4-006+2 ubuntu6.1_i386.deb

VIM Development Group VIM 7.1

VIM Development Group 7.1.039
ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.039

Mandriva Linux Mandrake 2009.0

Mandriva vim-common-7.2.065-9.2mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-common-7.2.065-9.3mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.2mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.3mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.2mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.3mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.2mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.3mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 7.04 powerpc

Ubuntu vim-common_7.0-164+1ubuntu7.2_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/v/vim/vim-common_7.0-164+1 ubuntu7.2_powerpc.deb

VMWare ESX Server 2.5.5

VMWare esx-2.5.5-161312-upgrade.tar.gz
http://download3.vmware.com/software/esx/esx-2.5.5-161312-upgrade.tar. gz

MandrakeSoft Corporate Server 3.0

Mandriva vim-common-7.2.065-9.2.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-common-7.2.065-9.3.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.2.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-9.3.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.2.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-9.3.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.2.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-9.3.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

VMWare ESX Server 3.0.3

VMWare ESX303-200903403-SG.zip
http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip

MandrakeSoft Corporate Server 4.0 x86_64

Mandriva vim-common-7.2.065-8.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-common-7.2.065-8.3.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-8.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-enhanced-7.2.065-8.3.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-8.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-minimal-7.2.065-8.3.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-8.2.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva vim-X11-7.2.065-8.3.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

References

Vim HelpTags Command Remote Format String Vulnerability

References:

VIM Homepage (VIM Development Group)
TSLSA-2007-0026 - multi (Trustix)
ASA-2009-001 - vim security update (RHSA-2008-0617) (Avaya)
Vim "helptags" Command Format String Vulnerability (Secunia Research)