1842658 – (CVE-2019-20807) CVE-2019-20807 vim: users can execute arbitrary OS commands via scripting interfaces in the rvim restricted mode

Bug 1842658 (CVE-2019-20807) - CVE-2019-20807 vim: users can execute arbitrary OS commands via scripting interfaces in the rvim restricted mode

Summary: CVE-2019-20807 vim: users can execute arbitrary OS commands via scripting int...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-20807
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1842752 1842754 1842755
Blocks:	1842659
TreeView+	depends on / blocked

Reported:	2020-06-01 19:21 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 19:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:	vim 8.1.088, vim 8.2.0884
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in vim in the restricted mode, where all commands that make use of external shells are disabled. However, it was found that users could still execute some arbitrary OS commands in the restricted mode. This flaw was fixed by filtering the functions that can call OS commands. Interfaces such as Python, Ruby, and Lua, are also disabled, as they can be used to execute shell commands. Perl uses the Safe module.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:25:41 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4453	0	None	None	None	2020-11-04 01:07:58 UTC

Description Guilherme de Almeida Suckevicz 2020-06-01 19:21:31 UTC

In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

Reference and upstream commit:
https://github.com/vim/vim/releases/tag/v8.1.0881
https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075

Comment 1 Huzaifa S. Sidhpurwala 2020-06-02 03:44:49 UTC

Created vim tracking bugs for this issue:

Affects: fedora-all [bug 1842752]

Comment 4 Huzaifa S. Sidhpurwala 2020-06-02 03:53:05 UTC

Statement:

Upstream suggests that users may still find loopholes to execute a shell commands, it has only been made difficult. So administrators should not assume that vim restricted mode will completely disable execution of OS commands.

Comment 8 errata-xmlrpc 2020-11-04 01:07:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4453 https://access.redhat.com/errata/RHSA-2020:4453

Comment 9 Product Security DevOps Team 2020-11-04 02:25:41 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20807

Note You need to log in before you can comment on or make changes to this bug.