CVE-2002-1377

NameCVE-2002-1377
Descriptionvim 6.0 and 6.1, and possibly other versions, allows attackers to execute arbitrary commands using the libcall feature in modelines, which are not sandboxed but may be executed when vim is used to edit a malicious file, as demonstrated using mutt.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: local)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vim (PTS)jessie2:7.4.488-7+deb8u3fixed
jessie (security)2:7.4.488-7+deb8u2fixed
stretch2:8.0.0197-4+deb9u1fixed
buster, sid2:8.1.0549-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vimsource(unstable)6.1.263-1medium

Notes

woody seems to be still vulnerable
according to bug #178102 a fixed package was uploaded to the security team in January 2003
but no advisory (nor fixed package) have been published yet.
I've mailed maintainer Luca Filipozzi <lfilipoz@debian.org> about this.
No response from maintainer, I have mailed security team.
Martin Schulze don't consider this as an issue for updating woody.

Search for package or bug name: Reporting problems