AIX Open Source

 View Only

  • 1.  VIM CVE-2021-3875 - Security Advisory - Update to 8.2.3489 needed

    Posted Thu October 21, 2021 04:40 AM

    Hi AIX OpenSource-Team,

    please update vim, because of the security issue CVE-2021-3875.
    PoC is already public.


    AIX Toolbox Version: 8.1.2424

    AFFECTED VERSIONS

    • Affected versions: vim < 8.2.3489

    RECOMMENDATIONS
    Upgrade vim to version 8.2.3489 

    https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f

    https://bugzilla.redhat.com/show_bug.cgi?id=2014661

    https://access.redhat.com/security/cve/CVE-2021-3875

    https://huntr.dev/bounties/5cdbc168-6ba1-4bc2-ba6c-28be12166a53/



    ------------------------------
    Tobias Schröer
    ------------------------------


  • 2.  RE: VIM CVE-2021-3875 - Security Advisory - Update to 8.2.3489 needed

    Posted Fri October 22, 2021 10:54 AM
    Thank you Tobias for reporting this.
    We will look into it and provide the fixed vim.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 3.  RE: VIM CVE-2021-3875 - Security Advisory - Update to 8.2.3489 needed

    Posted Mon December 13, 2021 09:54 AM
    Edited by SANKET RATHI Mon December 13, 2021 09:54 AM
    Hi, 
    We have built successfully the fixed version of VIM.
    Also there are some more recent vulnerabilities on VIM and we would like to release commutative fixed version.
    We will publish the package as soon as we get approval.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 4.  RE: VIM CVE-2021-3875 - Security Advisory - Update to 8.2.3489 needed

    Posted Thu December 30, 2021 02:09 AM
    Hi AIX OpenSource-Team,

    unfortunately we are still waiting for the availability of the new package. In the meantime, they found a new CVE-2021-4173 which is fixed in 8.2.3916.

    ------------------------------
    Niklas
    System Engineer UNIX and Linux on Power
    ------------------------------

    Original Message


  • 5.  RE: VIM CVE-2021-3875 - Security Advisory - Update to 8.2.3489 needed

    Posted Tue January 04, 2022 01:24 PM
    Sorry for the delay as there is a new major version change instead of minor version it is taking more than usual time.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 6.  RE: VIM CVE-2021-3875 - Security Advisory - Update to 8.2.3489 needed
    Best Answer

    Posted Tue January 11, 2022 08:31 AM
    vim 8.2.4000 is now available on AIX toolbox. This version has recent security vulnerability fixes. 
    https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/vim/?C=M;O=D

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 7.  RE: VIM CVE-2021-3875 - Security Advisory - Update to 8.2.3489 needed

    Posted Thu January 20, 2022 10:04 AM

    Hi Sanket and AIX OpenSource-Team

    I installed the new vim 8.2.4000 on our AIX 7200-03-02-1845 but I have some problem on running it.
    $ /opt/freeware/bin/vim
    exec(): 0509-036 Cannot load program /opt/freeware/bin/vim because of the following errors:
    0509-150 Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded.
    0509-152 Member libiconv.so.2 is not found in archive

    This vim version work on my system only if environment variable "LIBPATH" doesn't contain this paths "/usr/lib:/lib".
    I think the problem is related to how the vim package was built to use "libiconv" that in my system is available in Toolbox in "/opt/freeware/lib/libiconv.a" but also in AIX path "/usr/lib/libiconv.a" ( "Removal of symlink/files from /usr for AIX Toolbox packages"  ) and vim is using the AIX version instead of Tollbox version.

    The other recent ToolBox Package like "tar" work well because load the correct "libiconv" Tolbox version ignoring "LIBPATH".

    These are some dump of "vim" and "tar" commad:

    vim error dump:
    # Vim header
    $ dump -X64 -Hov /opt/freeware/bin/vim
    ...
    ***Import File Strings***
    INDEX PATH BASE MEMBER
    0 /opt/freeware/lib64:/opt/freeware/lib:/usr/vac/lib:/usr/lib:/lib
    1 libc.a shr_64.o
    2 libintl.a libintl.so.8
    3 libncurses.a libncurses.so.6
    4 libiconv.a libiconv.so.2
    5 libsodium.a libsodium.so.23

    $ ldd /opt/freeware/bin/vim
    /opt/freeware/bin/vim needs:
    /usr/lib/libc.a(shr_64.o)
    /usr/lib/libintl.a(libintl.so.8)
    /opt/freeware/lib64/libncurses.a(libncurses.so.6)
    /usr/lib/libiconv.a(libiconv.so.2)
    ar: 0707-109 Member name libiconv.so.2 does not exist.
    dump: /tmp/tmpdir8847766/extract/libiconv.so.2: 0654-106 Cannot open the specified file.
    /opt/freeware/lib64/libsodium.a(libsodium.so.23)
    /unix
    /usr/lib/libcrypt.a(shr_64.o)
    /usr/lib/libpthreads.a(shr_xpg5_64.o)
    /opt/freeware/lib/libiconv.a(libiconv.so.2)
    /opt/freeware/lib64/libgcc_s.a(shr.o)

    tar working program dump:
    # tar header
    $ dump -X64 -Hov /opt/freeware/bin/tar
    ...
    ***Import File Strings***
    INDEX PATH BASE MEMBER
    0 /opt/freeware/lib64:/opt/freeware/lib:/usr/lib:/lib
    1 libc.a shr_64.o
    2 libpthreads.a shr_xpg5_64.o
    3 /opt/freeware/lib libintl.a libintl.so.8
    4 /opt/freeware/lib libiconv.a libiconv.so.2

    $ ldd /opt/freeware/bin/tar
    /opt/freeware/bin/tar needs:
    /usr/lib/libc.a(shr_64.o)
    /usr/lib/libpthreads.a(shr_xpg5_64.o)
    /opt/freeware/lib/libintl.a(libintl.so.8)
    /opt/freeware/lib/libiconv.a(libiconv.so.2)
    /unix
    /usr/lib/libcrypt.a(shr_64.o)
    /opt/freeware/lib64/libgcc_s.a(shr.o)





    ------------------------------
    Alberto Valinetti
    ------------------------------

    Original Message


  • 8.  RE: VIM CVE-2021-3875 - Security Advisory - Update to 8.2.3489 needed

    Posted Fri January 21, 2022 04:55 AM
    We will look into it if there is a change in the way we build vim.
    But it is recommend to not to set LIBPATH when use AIX toolbox packages because it overwrite the lib search path in binary.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message