copied from my LFS mail system
--------------------------------------------
Subject: [lfs-dev] Vim CVE-2019-12735
Message-ID: <20190614221658.GA31361@milliways.localdomain>
Content-Type: text/plain; charset=utf-8
It is possible for a remote attacker to execute arbitrary OS
commands in vim up to version 8.1.1364 via the :source! command in a
modeline of a malicious file (all you have to do is open the file in
vim).
A workaround is to disable modelines in vimrc :
set nomodeline
I could tell you that there is a "good" version of vim (8.1.1529
which was current when I cloned it) in my webspace at higgs, but if
you were to just use that then you have bigger security problems
(unverified source).
If you need an urgent fix, the upstream mercurial repository is at
https://www.vim.org/mercurial.php
The individual change which fixed this adds a new test to check it
works, and that relies on earlier changes since 8.1. Also, if
running the tests as root (chroot) some tests will fail. So, for
the moment "please be aware".
ĸen
----------------------------------------
regards
scsijon
Vim CVE-2019-12735 WARNINGS
Re: Vim CVE-2019-12735 WARNINGS
https://github.com/numirias/security/bl ... -neovim.md suggests editing your vimrc to includescsijon wrote:A workaround is to disable modelines in vimrc :
set nomodeline
Code: Select all
set modelines=0
set nomodelineStandard X (should) come with vi installed. Many pup's don't, but often have vi in busybox. Neither of which are affected afaik. Just vim and neovim (derivative of vim).
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]