Issues the date: 2008-08-19
Renewal date: 2008-08-26

Is affected the system:
VIM Development Group VIM 3.00 - 7.2
Description:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30795

VIM is a section of free opening source code text editor, may use under the Unix/Linux operating system.

Vim when carries out K, <C-] >, g] and so on orders has not filtered certain inputs fully, the permission long-distance aggressor carries out willfully the Vim script or the shell order.

The following is in the src/normal.c document has the crack code section:

    5514        if (cmdchar == '*')
    5515        aux_ptr = (char_u *) (p_magic? “/.*~ [^$ \ \”: “/^$ \ \”);
    5516        else if (cmdchar == '#')
    5517        aux_ptr = (char_u *) (p_magic? “/?. *~ [^$ \ \”: “/? ^$ \ \”);
    5518        else if (cmdchar == 'K' &&! kp_help)
--> 5519        aux_ptr = (char_u *) “\ t \ \ \ “|!”;
    5520        else
    5521        /* Don't escape spaces and Tabs in a tag with a backslash */
--> 5522        aux_ptr = (char_u *) “\ \|\ "";
    5523   
    5524        p = buf + STRLEN(buf);
    5525        while (n-- > 0)
    5526        {
    5527        /* put a backslash before \ and some others */
    5528        if (vim_strchr (aux_ptr, *ptr)! = NULL)
    5529            *p++ = '\ \';
    5530    #ifdef FEAT_MBYTE
    5531        /* When current byte is a part of multibyte character, copy all bytes
    5532         * of that character. */
    5533        if (has_mbyte)
    5534        {
    5535            int i;
    5536            int len = (*mb_ptr2len) (ptr) - 1;
    5537   
    5538            for (i = 0; i < len && n >= 1; ++i, --n)