Control: found -1 0.3.4-2 On Wed, Jun 05, 2019 at 03:33:23PM +0200, Salvatore Bonaccorso wrote: > Control: retitle neovim: CVE-2019-12735: Modelines allow arbitrary code > execution > > On Wed, Jun 05, 2019 at 03:14:43AM -0700, Matthew Crews wrote: > > Source: neovim > > Severity: important > > Tags: upstream > > > > Dear Maintainer, > > > > Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit > > via > > modelines, as described in this blogpost: > > > > https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim- > > neovim.md > > > > Upgrading the Neovim package to >= 0.3.6 fixes this exploit. > > MITRE assigned CVE-2019-12735 for this issue.
This isn't actually fixed in upstream's 0.3.6, as it's missing a few prerequisite patches. They were merged to neovim's master branch, but not the release branch. The simple test that was part of Vim's patch for this problem was blocked, but not a slightly more involved scenario. Working with upstream to get that fixed and will update the Debian package as well. Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
signature.asc
Description: PGP signature