Source: vim Severity: important Tags: security, patch Dear Maintainer,
Vim currently allows arbitrary code execution in modelines outside of the sandboxed environment when using ':source!' in the modeline. Details can be found here [1] and upstream's patch here [2]. [1] https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md [2] https://github.com/vim/vim/commit/5357552 -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: arm64, i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8), LANGUAGE=en_ZA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Kyle Robbertze ⢿⡄⠘⠷⠚⠋⠀ https://wiki.debian.org/KyleRobbertze ⠈⠳⣄⠀⠀⠀⠀
signature.asc
Description: OpenPGP digital signature