Vim before 8.1.1365 and Neovim before 0.3.6 did not restrict the `:source!` command when executed in a sandbox. This allows remote attackers to take advantage of the modeline feature to inject arbitrary commands when a specially crafted file is opened. References: https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md Upstream commits: * vim: https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040 * neovim: https://github.com/neovim/neovim/pull/10082/commits/5e611f32841e746932fbcbea292ca502ed9e694b
Created vim tracking bugs for this issue: Affects: fedora-all [bug 1718312]
Created neovim tracking bugs for this issue: Affects: epel-7 [bug 1718314]
Created neovim tracking bugs for this issue: Affects: fedora-all [bug 1718315]
*** Bug 1717942 has been marked as a duplicate of this bug. ***
Mitigation: The vulnerability can be triggered only if `modeline` is enabled. You can check whether `modeline` is enabled within vim via the command `:set modeline?` It can be turned off explicitly by adding `set nomodeline` in a vimrc file.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 7 Via RHSA-2019:1619 https://access.redhat.com/errata/RHSA-2019:1619
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12735
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1774 https://access.redhat.com/errata/RHSA-2019:1774
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:1793 https://access.redhat.com/errata/RHSA-2019:1793
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1947 https://access.redhat.com/errata/RHSA-2019:1947
Statement: To be successfully and automatically triggered when a specially crafted file is opened, this vulnerability requires 3 parts : 1) The `source!` command inability to check if it is running in sandbox mode (the fix commit prevents this) 2) The `modeline` to be enabled (by default, modeline is disabled when running with root permission. See `Mitigation` steps to disable the modeline) 3) A function, to be inserted in the modeline, that can be used to trigger the `source!` command (e.g.: `assert_fail()` in the public reproducer). To the best of our knowledge, no such functions were found in the default installation of Red Hat Enterprise Linux versions 5, 6 and 7 at the time of the flaw. However, Red Hat Enterprise Linux version 8 contains `assert_fail()`. Without part 2 or 3, it would be required for an attacker to be able to craft the command line used to open the crafted file, in order to trigger the vulnerability.