A security issue fixed upstream in vim and neovim has been announced:
The issue is fixed upstream in vim 8.1.1365 and neovim 0.3.6.
Mageia 6 and Mageia 7 are also affected.
Assigning to the neovim maintainer, because he might have more time than the vim maintainer.
CC'ing the vim maintainer.
Neovim 0.3.7 pushed to updates_testing
RedHat has issued an advisory for vim on June 26:
Neovim has been updated to fix a security issue.
CVE-2019-12735: getchar.c in Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by assert_fails or nvim_input in Neovim.
Uploaded to core/updates_testing
vim needs to be fixed too.
MGA7TOO, MGA6TOO =>
Debian has issued an advisory for this on June 13:
Ubuntu has issued advisories for this on June 11:
Debian has issued an advisory for this on July 23: