Bug 1718308 (CVE-2019-12735)
| Summary: | CVE-2019-12735 vim/neovim: ':source!' command allows arbitrary command execution via modelines | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aron, asn, cbuissar, chorn, dchong, dedgar, fkrska, gchamoul, hartsjc, igor.raits, karsten, kyoshida, michel, mvanderw, pete.perfetti, phillw, rmetrich, security-response-team, yozone, ysoni, zdohnal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | vim 8.1.1365, neovim 0.3.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that the `:source!` command was not restricted by the sandbox mode. If modeline was explicitly enabled, opening a specially crafted text file in vim could result in arbitrary command execution.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-12 13:07:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1718314, 1718312, 1718315, 1719811, 1719812, 1719963, 1719964, 1724045, 1728009, 1728010 | ||
| Bug Blocks: | 1718311 | ||
|
Description
Dhananjay Arunesh
2019-06-07 13:06:18 UTC
Created vim tracking bugs for this issue: Affects: fedora-all [bug 1718312] Created neovim tracking bugs for this issue: Affects: epel-7 [bug 1718314] Created neovim tracking bugs for this issue: Affects: fedora-all [bug 1718315] *** Bug 1717942 has been marked as a duplicate of this bug. *** Mitigation: The vulnerability can be triggered only if `modeline` is enabled. You can check whether `modeline` is enabled within vim via the command `:set modeline?` It can be turned off explicitly by adding `set nomodeline` in a vimrc file. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 7 Via RHSA-2019:1619 https://access.redhat.com/errata/RHSA-2019:1619 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12735 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1774 https://access.redhat.com/errata/RHSA-2019:1774 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:1793 https://access.redhat.com/errata/RHSA-2019:1793 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1947 https://access.redhat.com/errata/RHSA-2019:1947 Statement: To be successfully and automatically triggered when a specially crafted file is opened, this vulnerability requires 3 parts : 1) The `source!` command inability to check if it is running in sandbox mode (the fix commit prevents this) 2) The `modeline` to be enabled (by default, modeline is disabled when running with root permission. See `Mitigation` steps to disable the modeline) 3) A function, to be inserted in the modeline, that can be used to trigger the `source!` command (e.g.: `assert_fail()` in the public reproducer). To the best of our knowledge, no such functions were found in the default installation of Red Hat Enterprise Linux versions 5, 6 and 7 at the time of the flaw. However, Red Hat Enterprise Linux version 8 contains `assert_fail()`. Without part 2 or 3, it would be required for an attacker to be able to craft the command line used to open the crafted file, in order to trigger the vulnerability. |