Hi James, On Thu, Jun 06, 2019 at 09:29:14PM -0400, James McCoy wrote: > Control: found -1 0.3.4-2 > > On Wed, Jun 05, 2019 at 03:33:23PM +0200, Salvatore Bonaccorso wrote: > > Control: retitle neovim: CVE-2019-12735: Modelines allow arbitrary code > > execution > > > > On Wed, Jun 05, 2019 at 03:14:43AM -0700, Matthew Crews wrote: > > > Source: neovim > > > Severity: important > > > Tags: upstream > > > > > > Dear Maintainer, > > > > > > Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution > > > exploit via > > > modelines, as described in this blogpost: > > > > > > https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim- > > > neovim.md > > > > > > Upgrading the Neovim package to >= 0.3.6 fixes this exploit. > > > > MITRE assigned CVE-2019-12735 for this issue. > > This isn't actually fixed in upstream's 0.3.6, as it's missing a few > prerequisite patches. They were merged to neovim's master branch, but > not the release branch. > > The simple test that was part of Vim's patch for this problem was > blocked, but not a slightly more involved scenario. > > Working with upstream to get that fixed and will update the Debian > package as well.
Ack! Thanks for the status update. Rgards, Salvatore
