Control: severity -1 serious On Fri, Jun 07, 2019 at 07:51:19AM +0200, Salvatore Bonaccorso wrote: > Hi James, > > On Thu, Jun 06, 2019 at 09:29:14PM -0400, James McCoy wrote: > > Control: found -1 0.3.4-2 > > > > On Wed, Jun 05, 2019 at 03:33:23PM +0200, Salvatore Bonaccorso wrote: > > > Control: retitle neovim: CVE-2019-12735: Modelines allow arbitrary code > > > execution > > > > > > On Wed, Jun 05, 2019 at 03:14:43AM -0700, Matthew Crews wrote: > > > > Source: neovim > > > > Severity: important > > > > Tags: upstream > > > > > > > > Dear Maintainer, > > > > > > > > Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution > > > > exploit via > > > > modelines, as described in this blogpost: > > > > > > > > https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim- > > > > neovim.md > > > > > > > > Upgrading the Neovim package to >= 0.3.6 fixes this exploit. > > > > > > MITRE assigned CVE-2019-12735 for this issue. > > > > This isn't actually fixed in upstream's 0.3.6, as it's missing a few > > prerequisite patches. They were merged to neovim's master branch, but > > not the release branch. > > > > The simple test that was part of Vim's patch for this problem was > > blocked, but not a slightly more involved scenario. > > > > Working with upstream to get that fixed and will update the Debian > > package as well. > > Ack! Thanks for the status update.
Raising the severity here to RC, as this should ideally be adressed before the buster release in buster. Regards, Salvatore
