>Submitter-Id: current-users
>Originator: Eygene Ryabinkin
>Organization: Code Labs
>Confidential: no
>Synopsis: [vuxml] editors/vim: document CVE-2008-3432
>Severity: non-critical
>Priority: medium
>Category: ports
>Class: sw-bug
>Release: FreeBSD 7.0-STABLE amd64
>Environment:
System: FreeBSD 7.0-STABLE amd64
>Description:
There is CVE-2008-3432 that addresses the heap-based buffer overflow in
vim 6.2 and 6.3. While these are rather dated, someone might still be
using them.
>How-To-Repeat:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432http://www.openwall.com/lists/oss-security/2008/07/15/4>Fix:
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="">
<topic>vim -- heap-based overflow while parsing shell metacharacters</topic>
<affects>
<package>
<name>vim</name>
<name>vim-lite</name>
<name>vim-gtk2</name>
<name>vim-gnome</name>
<range><ge>6.2.521</ge><lt>6.3.62</lt></range>
</package>
</affects>
<description>
<body xmlns="
http://www.w3.org/1999/xhtml">
<p>Description for CVE-2008-3432 says:</p>
<blockquote cite="
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432">
<p>Heap-based buffer overflow in the mch_expand_wildcards
function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted
attackers to execute arbitrary code via shell metacharacters
in filenames, as demonstrated by the netrw.v3 test case.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3432</cvename>
<url>
http://www.openwall.com/lists/oss-security/2008/07/15/4</url>
</references>
<dates>
<discovery>2008-07-31</discovery>
<entry>today</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
_______________________________________________
freebsd-vuxml@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-vuxmlTo unsubscribe, send any mail to "
freebsd-vuxml-unsubscribe@..."
