vim: CVE-2019-12735: Modelines allow arbitrary code execution

Debian Bug report logs - #930020
vim: CVE-2019-12735: Modelines allow arbitrary code execution

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kyle Robbertze <paddatrapper@debian.org>

To: submit@bugs.debian.org

Subject: vim: Modelines allow arbitrary code execution

Date: Wed, 5 Jun 2019 11:55:49 +0200

[Message part 1 (text/plain, inline)]

Source: vim
Severity: important
Tags: security, patch

Dear Maintainer,

Vim currently allows arbitrary code execution in modelines outside of 
the sandboxed environment when using ':source!' in the modeline. 
Details can be found here [1] and upstream's patch here [2].

[1] https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

[2] https://github.com/vim/vim/commit/5357552

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8), LANGUAGE=en_ZA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- 

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Kyle Robbertze
⢿⡄⠘⠷⠚⠋⠀ https://wiki.debian.org/KyleRobbertze
⠈⠳⣄⠀⠀⠀⠀ 

[signature.asc (application/pgp-signature, attachment)]

Message #16 received at 930020@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Kyle Robbertze <paddatrapper@debian.org>, 930020@bugs.debian.org

Subject: Re: Bug#930020: vim: Modelines allow arbitrary code execution

Date: Wed, 5 Jun 2019 15:32:26 +0200

Control: retitle vim: CVE-2019-12735: Modelines allow arbitrary code execution

On Wed, Jun 05, 2019 at 11:55:49AM +0200, Kyle Robbertze wrote:
> Source: vim
> Severity: important
> Tags: security, patch
> 
> Dear Maintainer,
> 
> Vim currently allows arbitrary code execution in modelines outside of 
> the sandboxed environment when using ':source!' in the modeline. 
> Details can be found here [1] and upstream's patch here [2].
> 
> [1] https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
> 
> [2] https://github.com/vim/vim/commit/5357552

MITRE assigned CVE-2019-12735 for this issue.

Regards,
Salvatore

Message #27 received at 930020@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 930020@bugs.debian.org

Subject: Re: Bug#930020: vim: Modelines allow arbitrary code execution

Date: Wed, 5 Jun 2019 23:11:10 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Attached is proposed debdiff for unstable.

Looked today as well on the version in stretch, but the build fails
currently.

Regards,
Salvatore

[vim_8.1.0875-3.1.debdiff (text/plain, attachment)]

Message #32 received at 930020@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 930020@bugs.debian.org

Subject: Re: Bug#930020: vim: Modelines allow arbitrary code execution

Date: Wed, 5 Jun 2019 22:24:45 -0400

[Message part 1 (text/plain, inline)]

On Wed, Jun 05, 2019 at 11:11:10PM +0200, Salvatore Bonaccorso wrote:
> Attached is proposed debdiff for unstable.

Thanks.  I'll get a new package uploaded either tonight or tomorrow.

> Looked today as well on the version in stretch, but the build fails
> currently.

For stretch, should the upload go to "stretch-security" or just
"stretch"?

As far as the build, I was able to do that locally via sbuild.  Any
other info on possible build failures would be helpful, so I can try to
address that before uploading.

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 930020@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: James McCoy <jamessan@debian.org>

Cc: 930020@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#930020: vim: Modelines allow arbitrary code execution

Date: Thu, 6 Jun 2019 07:44:18 +0200

[Message part 1 (text/plain, inline)]

hi James,

[adding CC to team@s.d.o]

On Wed, Jun 05, 2019 at 10:24:45PM -0400, James McCoy wrote:
> On Wed, Jun 05, 2019 at 11:11:10PM +0200, Salvatore Bonaccorso wrote:
> > Attached is proposed debdiff for unstable.
> 
> Thanks.  I'll get a new package uploaded either tonight or tomorrow.

Perfect thanks!

> 
> > Looked today as well on the version in stretch, but the build fails
> > currently.
> 
> For stretch, should the upload go to "stretch-security" or just
> "stretch"?

For both vim and neovim please via security. Can you send proposed
debdiffs to the team? 

> As far as the build, I was able to do that locally via sbuild.  Any
> other info on possible build failures would be helpful, so I can try to
> address that before uploading.

Sure, sorry for not adding that earlier. Attaching what I had so far
here. The build is done with pbuilder in my case. But that said i
still would have to check if I have not done something trivially
wrong.

Regards,
Salvatore

[vim_8.0.0197-4+deb9u2.debdiff (text/plain, attachment)]

[vim_8.0.0197-4+deb9u2_amd64.build.xz (application/x-xz, attachment)]

Message #42 received at 930020@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 930020@bugs.debian.org

Cc: James McCoy <jamessan@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#930020: vim: Modelines allow arbitrary code execution

Date: Thu, 6 Jun 2019 10:29:38 +0200

Hi James,

On Thu, Jun 06, 2019 at 07:44:18AM +0200, Salvatore Bonaccorso wrote:
> hi James,
> 
> [adding CC to team@s.d.o]
> 
> On Wed, Jun 05, 2019 at 10:24:45PM -0400, James McCoy wrote:
> > On Wed, Jun 05, 2019 at 11:11:10PM +0200, Salvatore Bonaccorso wrote:
> > > Attached is proposed debdiff for unstable.
> > 
> > Thanks.  I'll get a new package uploaded either tonight or tomorrow.
> 
> Perfect thanks!
> 
> > 
> > > Looked today as well on the version in stretch, but the build fails
> > > currently.
> > 
> > For stretch, should the upload go to "stretch-security" or just
> > "stretch"?
> 
> For both vim and neovim please via security. Can you send proposed
> debdiffs to the team? 
> 
> > As far as the build, I was able to do that locally via sbuild.  Any
> > other info on possible build failures would be helpful, so I can try to
> > address that before uploading.
> 
> Sure, sorry for not adding that earlier. Attaching what I had so far
> here. The build is done with pbuilder in my case. But that said i
> still would have to check if I have not done something trivially
> wrong.

The package builded actually after a retry today without changes, so
there might be just some flaky parts in the build? Does that ring a
bell?

Regards,
Salvatore

Message #47 received at 930020@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 930020@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#930020: vim: Modelines allow arbitrary code execution

Date: Thu, 6 Jun 2019 22:13:22 -0400

[Message part 1 (text/plain, inline)]

On Thu, Jun 06, 2019 at 07:44:18AM +0200, Salvatore Bonaccorso wrote:
> On Wed, Jun 05, 2019 at 10:24:45PM -0400, James McCoy wrote:
> > On Wed, Jun 05, 2019 at 11:11:10PM +0200, Salvatore Bonaccorso wrote:
> > > Looked today as well on the version in stretch, but the build fails
> > > currently.
> > 
> > For stretch, should the upload go to "stretch-security" or just
> > "stretch"?
> 
> For both vim and neovim please via security. Can you send proposed
> debdiffs to the team? 

Sure.

> > As far as the build, I was able to do that locally via sbuild.  Any
> > other info on possible build failures would be helpful, so I can try to
> > address that before uploading.
> 
> Sure, sorry for not adding that earlier. Attaching what I had so far
> here. The build is done with pbuilder in my case. But that said i
> still would have to check if I have not done something trivially
> wrong.

Unfortunately, the update isn't going to be as simple for
Jessie/Stretch.  The functionality relied upon for check_secure() to
work correctly relies on a number of earlier patches in the 8.1 series
(as I discovered with neovim).

I think all of these need to be ported for a complete solution:

* 8.1.0177
* 8.1.0189
* 8.1.0538
* 8.1.0544
* 8.1.0546
* 8.1.0547
* 8.1.0613
* 8.1.1046
* 8.1.1365

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 930020@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: James McCoy <jamessan@debian.org>

Cc: 930020@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#930020: vim: Modelines allow arbitrary code execution

Date: Fri, 7 Jun 2019 07:54:59 +0200

Hi James,

On Thu, Jun 06, 2019 at 10:13:22PM -0400, James McCoy wrote:
> On Thu, Jun 06, 2019 at 07:44:18AM +0200, Salvatore Bonaccorso wrote:
> > On Wed, Jun 05, 2019 at 10:24:45PM -0400, James McCoy wrote:
> > > On Wed, Jun 05, 2019 at 11:11:10PM +0200, Salvatore Bonaccorso wrote:
> > > > Looked today as well on the version in stretch, but the build fails
> > > > currently.
> > > 
> > > For stretch, should the upload go to "stretch-security" or just
> > > "stretch"?
> > 
> > For both vim and neovim please via security. Can you send proposed
> > debdiffs to the team? 
> 
> Sure.
> 
> > > As far as the build, I was able to do that locally via sbuild.  Any
> > > other info on possible build failures would be helpful, so I can try to
> > > address that before uploading.
> > 
> > Sure, sorry for not adding that earlier. Attaching what I had so far
> > here. The build is done with pbuilder in my case. But that said i
> > still would have to check if I have not done something trivially
> > wrong.
> 
> Unfortunately, the update isn't going to be as simple for
> Jessie/Stretch.  The functionality relied upon for check_secure() to
> work correctly relies on a number of earlier patches in the 8.1 series
> (as I discovered with neovim).
> 
> I think all of these need to be ported for a complete solution:
> 
> * 8.1.0177
> * 8.1.0189
> * 8.1.0538
> * 8.1.0544
> * 8.1.0546
> * 8.1.0547
> * 8.1.0613
> * 8.1.1046
> * 8.1.1365

Thanks!

Regards,
Salvatore

Message #55 received at 930020-submitter@bugs.debian.org (full text, mbox, reply):

From: James McCoy <noreply@salsa.debian.org>

To: 930020-submitter@bugs.debian.org

Subject: Bug#930020 marked as pending in vim

Date: Fri, 07 Jun 2019 10:52:10 +0000

Control: tag -1 pending

Hello,

Bug #930020 in vim reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/vim-team/vim/commit/fd3cdf2c05d751d6e4d8d59506a9184a4965e072

------------------------------------------------------------------------
Backport 8.1.1046 and 8.1.1365 to fix CVE-2019-12735

Closes: #930020
Signed-off-by: James McCoy <jamessan@debian.org>
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/930020

Message #62 received at 930020-close@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>

To: 930020-close@bugs.debian.org

Subject: Bug#930020: fixed in vim 2:8.1.0875-4

Date: Fri, 07 Jun 2019 12:04:04 +0000

Source: vim
Source-Version: 2:8.1.0875-4

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930020@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Jun 2019 06:49:19 -0400
Source: vim
Architecture: source
Version: 2:8.1.0875-4
Distribution: unstable
Urgency: high
Maintainer: Debian Vim Maintainers <team+vim@tracker.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Closes: 930020
Changes:
 vim (2:8.1.0875-4) unstable; urgency=high
 .
   * Backport 8.1.1046 and 8.1.1365 to fix CVE-2019-12735  (Closes: #930020)
     + 8.1.1365: source command doesn't check for the sandbox
Checksums-Sha1:
 f5d602eb849ab46235c6fb096023aa20c4202ef2 2918 vim_8.1.0875-4.dsc
 45402f4e9507da7923b83e140ef975807f911771 175540 vim_8.1.0875-4.debian.tar.xz
 447debc66f6a48007eec518d4754544529e230c4 21964 vim_8.1.0875-4_amd64.buildinfo
Checksums-Sha256:
 512fb40f4ff0a13113f0c33c76347523b2c3b24b0a56380fe0f1bbfc3f752997 2918 vim_8.1.0875-4.dsc
 5f6de7c69a6e0cefdf8045dd5f03c8c53dcf822ef2e58736fb318b6663e4bf71 175540 vim_8.1.0875-4.debian.tar.xz
 43035b529315b1be33c1ca3ebda2afc772be7ec297e66a6c43a7869d309cea99 21964 vim_8.1.0875-4_amd64.buildinfo
Files:
 508722da2157dde762198e5d6b8b7f67 2918 editors optional vim_8.1.0875-4.dsc
 76390cf1288f41daa9136a74a0ad9301 175540 editors optional vim_8.1.0875-4.debian.tar.xz
 54a288bceb71d10a84d59d85a62c0542 21964 editors optional vim_8.1.0875-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAlz6TtNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIACgkQ3+aRrjMb
o9tXqxAAlkhmbEfyJLmR+Y8KkkVWkZT0x7N+oLtxYFYcPhvwcaMp05LD7p/HTTUo
Uh+I+YQ7VKFrFTrt76+NCeOnyr+G4oE08Fip5bg//kMUyUYFZvDgN3RtjoX4PN4G
uMXHinbu89EHisce0apaXKdiHxNnFTLROv9PvHTnVF1ZZrzoAh+nOPdKCU1iaNAi
qTRgLaMWghVIV7g/3p0+f8Mxsjb6o3zGILC3uYqlRzvzX1c7p0Xmr6dwxhn6+QKs
dR8+KO1UepxUUE5U4gYfawaC43Ds6R5PDkR0nJhrCdMlpiKNgCnTt9p6g2fJyZoA
9YcRwxtrZpf6c3na44lu5pgOyM8zBGcRV2mWMhahvX/AmS159TMftvC4VGExJ64f
tXvE5UB95SYYvPRreRF2KBXIpARCmXvqSfzkYesA5C8mTdvq2luY+N0L/w7PCr6j
IiXNQZkdl04WYeij3ewVjNwuIBVmy/CMs+aXMpqC8FiWWhVZxEYVVJxGS1Pjwqaq
UHMG8y2BLzesicSJXxQAUkdhEBEq9fs8t2rsq7DKQLqsvE4jXCYsOue7uNnYOqMR
xvvCvpdapufpXKT2I1NNIToaJnXp6HW/P4CqMBwPiuXnSw3tR/hlsgWPrkbrl7Qv
847ne6qHw0MDCD6I8fUQC3nXbIkXOotKnnNKMxoy464tJla93hk=
=oJR+
-----END PGP SIGNATURE-----

Message #73 received at 930020@bugs.debian.org (full text, mbox, reply):

From: Alastair Irvine <alastair@plug.org.au>

To: 930020@bugs.debian.org

Subject: 8.1.* patches

Date: Fri, 14 Jun 2019 14:38:57 +0800

On Thu, Jun 06, 2019 at 22:13:22 -0400, James McCoy wrote:
> Unfortunately, the update isn't going to be as simple for
> Jessie/Stretch.  The functionality relied upon for check_secure() to
> work correctly relies on a number of earlier patches in the 8.1 series
> (as I discovered with neovim).
> 
> I think all of these need to be ported for a complete solution:
> 
> * 8.1.0177
> * 8.1.0189
> * 8.1.0538
> * 8.1.0544
> * 8.1.0546
> * 8.1.0547
> * 8.1.0613
> * 8.1.1046
> * 8.1.1365

Does anyone need help back-porting the required patches for stretch?

Message #78 received at 930020@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>

To: Alastair Irvine <alastair@plug.org.au>, 930020@bugs.debian.org

Subject: Re: Bug#930020: 8.1.* patches

Date: Sat, 15 Jun 2019 10:16:31 -0400

On Fri, Jun 14, 2019 at 02:38:57PM +0800, Alastair Irvine wrote:
> On Thu, Jun 06, 2019 at 22:13:22 -0400, James McCoy wrote:
> > Unfortunately, the update isn't going to be as simple for
> > Jessie/Stretch.  The functionality relied upon for check_secure() to
> > work correctly relies on a number of earlier patches in the 8.1 series
> > (as I discovered with neovim).
> > 
> > I think all of these need to be ported for a complete solution:
> > 
> > * 8.1.0177
> > * 8.1.0189
> > * 8.1.0538
> > * 8.1.0544
> > * 8.1.0546
> > * 8.1.0547
> > * 8.1.0613
> > * 8.1.1046
> > * 8.1.1365
> 
> Does anyone need help back-porting the required patches for stretch?

The list ended up being longer than above.  I've nearly finished.
Hoping to get it done this weekend.

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

Send a report that this bug log contains spam.