(OLD) (ARCHIVED) Puppy Linux Discussion Forum Forum Index (OLD) (ARCHIVED) Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info

This forum can also be accessed as http://oldforum.puppylinux.com
It is now read-only and serves only as archives.

Please register over the NEW forum https://forum.puppylinux.com
and continue your work there. Thank you.
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups    
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 28 Nov 2020, 12:47
All times are UTC - 4

 Forum index » Taking the Puppy out for a walk » Announcements
Vim CVE-2019-12735 WARNINGS
Moderators: Flash, Ian, JohnMurga
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
Page 1 of 1 [2 Posts]  
Author Message
scsijon

Joined: 23 May 2007
Posts: 1600
Location: the australian mallee
PostPosted: Mon 17 Jun 2019, 18:04    Post subject:  Vim CVE-2019-12735 WARNINGS  
copied from my LFS mail system
--------------------------------------------

Subject: [lfs-dev] Vim CVE-2019-12735
Message-ID: <20190614221658.GA31361@milliways.localdomain>
Content-Type: text/plain; charset=utf-8

It is possible for a remote attacker to execute arbitrary OS
commands in vim up to version 8.1.1364 via the :source! command in a
modeline of a malicious file (all you have to do is open the file in
vim).

A workaround is to disable modelines in vimrc :

set nomodeline

I could tell you that there is a "good" version of vim (8.1.1529
which was current when I cloned it) in my webspace at higgs, but if
you were to just use that then you have bigger security problems
(unverified source).

If you need an urgent fix, the upstream mercurial repository is at
https://www.vim.org/mercurial.php

The individual change which fixed this adds a new test to check it
works, and that relies on earlier changes since 8.1. Also, if
running the tests as root (chroot) some tests will fail. So, for
the moment "please be aware".

ĸen
----------------------------------------

regards
scsijon
Back to top
View user's profile Send private message Visit poster's website 
rufwoof


Joined: 24 Feb 2014
Posts: 3725
PostPosted: Mon 17 Jun 2019, 18:44    Post subject: Re: Vim CVE-2019-12735 WARNINGS  
scsijon wrote:
A workaround is to disable modelines in vimrc :

set nomodeline

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md suggests editing your vimrc to include
Code:
set modelines=0
set nomodeline

Further reference material here https://arstechnica.com/information-technology/2019/06/if-you-havent-patched-vim-or-neovim-text-editors-you-really-really-should/
Standard X (should) come with vi installed. Many pup's don't, but often have vi in busybox. Neither of which are affected afaik. Just vim and neovim (derivative of vim).
_________________
( ͡° ͜ʖ ͡°) :wq
Fatdog multi-session usb
echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [2 Posts]  
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
 Forum index » Taking the Puppy out for a walk » Announcements
Jump to:  


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

[ Time: 0.4696s ][ Queries: 11 (0.4335s) ][ GZIP on ]