Skip to content

MacVim is vulnerable to arbitrary code execution via modelines (vim < 8.1.1365) #898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
raimue opened this issue Jun 4, 2019 · 4 comments
Closed

MacVim is vulnerable to arbitrary code execution via modelines (vim < 8.1.1365) #898

raimue opened this issue Jun 4, 2019 · 4 comments
Milestone
snapshot-156

Comments

@raimue
Copy link

raimue commented Jun 4, 2019

Vim before 8.1.1365 is vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.

A detailed description of the issue was published here:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

Although the original vulnerability was patched with 8.1.1365, I would suggest to update at least to vim 8.1.1368, as the follow-up patches add the new option :set modelineexpr as another mitigation for similar attacks.
raimue added a commit to macports/macports-ports that referenced this issue Jun 4, 2019
@raimue
MacVim: Backport of patches 8.1.1365-1368
71be901 
Backport patches with slight modifications in order to fix
a vulnerability related to modelines.

A detailed description of the vulnerability was published here:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

See: macvim-dev/macvim#898
@ychin ychin added this to the snapshot-156 milestone Jun 5, 2019
@ychin
Copy link
Member

ychin commented Jun 5, 2019

Thanks for pointing out. Will update.

tpai added a commit to tpai/dotfiles that referenced this issue Jun 6, 2019
@tpai
Fix code execution vulnerability in Vim
98df7ab 
https://twitter.com/rawsec/status/1135895908594409472

MacVim: macvim-dev/macvim#898
This was referenced Jun 7, 2019
Closed
Closed
@eirnym eirnym mentioned this issue Jun 10, 2019
Closed
ychin added a commit to ychin/macvim that referenced this issue Jun 11, 2019
@ychin
MacVim Snapshot 156
d354527 
Vim patch 8.1.1517

Security Fixes:

- Fix modeline security vulnerability (CVE-2019-12735). macvim-dev#898 (fixed in
  Vim 8.1.265)

Features:

- Add new option 'MMTitlebarAppearsTransparent' that will make the title
  bar transparent and use the background color in the color scheme
  (10.14 or above only). macvim-dev#888

Fixes:

- Fix filename parsing error when opening a file with special characters
  like '$' in file path. macvim-dev#863
- Fix blurry I-beam mouse cursor. macvim-dev#755
- Fix silently failing to save a file when conversion error is present.
  macvim-dev#671. (Vim 8.1.1349)
- Fix failing to save to a network shared SMB folder macvim-dev#861.
  (Vim 8.1.0957)

Misc:

- 'guitablabel' can now be set in .vimrc, without MacVim overriding it.
  macvim-dev#899

Targets macOS 10.8+

Script interfaces have compatibility with these versions:

- Lua 5.3
- Perl 5.18
- Python2 2.7
- Python3 3.7
- Ruby 2.6
@ychin
Copy link
Member

ychin commented Jun 11, 2019

Updated to latest and pushed a release out. Closing.

@ychin ychin closed this as completed Jun 11, 2019
@lilyball
Copy link
Contributor

The changelog for snapshot-156 incorrectly claims the vulnerability was fixed in Vim 8.1.265.

@ychin
Copy link
Member

ychin commented Jun 12, 2019

@lilyball Thanks for pointing that out. I fixed the typo in release page and the auto-updater's message.

@ychin ychin mentioned this issue Mar 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
snapshot-156
Development

No branches or pull requests
3 participants
@lilyball @raimue @ychin