It is possible for a remote attacker to execute arbitrary OS commands in vim up to version 8.1.1364 via the :source! command in a modeline of a malicious file (all you have to do is open the file in vim).
A workaround is to disable modelines in vimrc : set nomodeline I could tell you that there is a "good" version of vim (8.1.1529 which was current when I cloned it) in my webspace at higgs, but if you were to just use that then you have bigger security problems (unverified source). If you need an urgent fix, the upstream mercurial repository is at https://www.vim.org/mercurial.php The individual change which fixed this adds a new test to check it works, and that relies on earlier changes since 8.1. Also, if running the tests as root (chroot) some tests will fail. So, for the moment "please be aware". ĸen -- Before the universe began, there was a sound. It went: "One, two, ONE, two, three, four" [...] The cataclysmic power chord that followed was the creation of time and space and matter and it does Not Fade Away. - wiki.lspace.org/mediawiki/Music_With_Rocks_In -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
