Advisories » MGASA-2020-0082

Updated vim and neovim packages fix security vulnerability

Publication date: 13 Feb 2020
Modification date: 13 Feb 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-12735

Description

Updated vim and neovim package fixes security vulnerability:

It was discovered that Vim before 8.1.1365 and Neovim before 0.3.6 did
not restrict the `:source!` command when executed in a sandbox. This
allows remote attackers to take advantage of the modeline feature to
inject arbitrary commands when a specially crafted file is opened
(CVE-2019-12735).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=24929
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735

SRPMS

7/core

• neovim-0.3.7-1.mga7
• vim-8.1.1048-1.1.mga7