| Description: | Summary:
The remote host is missing an update to vim announced via advisory DSA 1364-1.
This VT has been deprecated and merged into the VT 'Debian: Security Advisory (DSA-1364)' (OID: 1.3.6.1.4.1.25623.1.0.58613).
Vulnerability Insight:
Several vulnerabilities have been discovered in the vim editor. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-2953
Ulf Harnhammar discovered that a format string flaw in helptags_one() from
src/ex_cmds.c (triggered through the helptags command) can lead to the
execution of arbitrary code.
CVE-2007-2438
Editors often provide a way to embed editor configuration commands (aka
modelines) which are executed once a file is opened. Harmful commands
are filtered by a sandbox mechanism. It was discovered that function
calls to writefile(), feedkeys() and system() were not filtered, allowing
shell command execution with a carefully crafted file opened in vim.
For the oldstable distribution (sarge) these problems have been fixed in
version 6.3-071+1sarge2. Sarge is not affected by CVE-2007-2438.
For the stable distribution (etch) these problems have been fixed
in version 7.0-122+1etch3.
For the unstable distribution (sid) these problems have been fixed in
version 7.1-056+1.
Solution:
We recommend that you upgrade your vim packages.
CVSS Score:
7.6
CVSS Vector:
AV:N/AC:H/Au:N/C:C/I:C/A:C
|
