Package: vim-youcompleteme Version: 0+20140207+git18be5c2-2 Severity: normal Tags: security X-Debbugs-CC: secur...@debian.org
This version (0+20140207+git18be5c2-2) of JediHTTP (/usr/lib/vim-youcompleteme/ycm/server/) does not include the HMAC mechanism. Each vim instance starts a HTTP proxy to Jedi to which anybody on localhost can connect via TCP. Tested with Python files with youcompleteme enabled. For example one can run the following command as another user (httpie for ease): $ http -v POST 127.0.0.1:${port}/user_options @/tmp/default_settings.json /tmp/default_settings.json based on /usr/lib/vim-youcompleteme/ycm/server/default_settings.json. You can change min_num_of_chars_for_completion to quickly prove that settings have been updated. One can also run arbitrary commands on behalf of the user. Just set global_ycm_extra_conf to a path to a Python file and wait for the user to exit vim. --- System information. --- Architecture: amd64 Kernel: Linux 3.16.0-4-amd64 Debian Release: 8.7 500 stable security.debian.org 500 stable ftp.pl.debian.org 500 oldstable ftp.pl.debian.org 50 testing security.debian.org 50 testing ftp.pl.debian.org 100 jessie-backports ftp.pl.debian.org --- Package information. --- Package's Depends field is empty. Package's Recommends field is empty. Package's Suggests field is empty. -- Marcin Szewczyk http://wodny.org