Your message dated Thu, 27 Jun 2019 02:59:59 +0000 with message-id <e1hgkdj-0005ph...@fasolo.debian.org> and subject line Bug#930024: fixed in neovim 0.3.4-3 has caused the Debian Bug report #930024, regarding neovim: CVE-2019-12735: Modelines allow arbitrary code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930024 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: neovim Severity: important Tags: upstream Dear Maintainer, Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via modelines, as described in this blogpost: https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim- neovim.md Upgrading the Neovim package to >= 0.3.6 fixes this exploit. -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: neovim Source-Version: 0.3.4-3 We believe that the bug you reported is fixed in the latest version of neovim, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James McCoy <james...@debian.org> (supplier of updated neovim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 26 Jun 2019 21:21:33 -0400 Source: neovim Architecture: source Version: 0.3.4-3 Distribution: unstable Urgency: high Maintainer: Debian Vim Maintainers <team+...@tracker.debian.org> Changed-By: James McCoy <james...@debian.org> Closes: 930024 Changes: neovim (0.3.4-3) unstable; urgency=high . * Backport additional changes to address CVE-2019-12735 (Closes: #930024) + vim-patch:8.1.0177: defining function in sandbox is inconsistent + vim-patch:8.1.0189: function defined in sandbox not tested + vim-patch:8.1.0538: evaluating a modeline might invoke using a shell command + vim-patch:8.1.0539: cannot build without the sandbox + vim-patch:8.1.0540: may evaluate insecure value when appending to option + vim-patch:8.1.0544: setting 'filetype' in a modeline causes an error + vim-patch:8.1.0613: when executing an insecure function the secure flag is stuck + vim-patch:8.1.1046: the "secure" variable is used inconsistently + vim-patch:8.1.0205: invalid memory access with invalid modeline + vim-patch:8.1.0206: duplicate test function name + vim-patch:8.1.0506: modeline test fails when run by root + vim-patch:8.1.0546: modeline test with keymap fails + vim-patch:8.1.0547: modeline test with keymap still fails + vim-patch:8.1.1366: using expressions in a modeline is unsafe + vim-patch:8.1.1367: can set 'modelineexpr' in modeline + vim-patch:8.1.1368: modeline test fails with python but without pythonhome + vim-patch:8.1.1382: error when editing test file + vim-patch:8.1.1401: misspelled mkspellmem as makespellmem * Backport patch to prevent use of nvim's API within the sandbox Checksums-Sha1: 2b469eb20f9c15a791f55f880b795fae43cb1e2a 2639 neovim_0.3.4-3.dsc 92e3dc08924e1554fe78e592433b1b598f3b0296 26884 neovim_0.3.4-3.debian.tar.xz be038d319b0e6cbead906a4c39ba9db1b21cf5af 8218 neovim_0.3.4-3_amd64.buildinfo Checksums-Sha256: 317fddb847548883de032b71c8923e79ba03568e14285cd78077cf22ead8230a 2639 neovim_0.3.4-3.dsc aea5b17551716f438a0a061c027850f0ec09b0b36cc0c37b4055703e06b4f9b6 26884 neovim_0.3.4-3.debian.tar.xz b000ccded8321f145249b904bd199a4b294cabf6bbbded621eb0179ba6083e6a 8218 neovim_0.3.4-3_amd64.buildinfo Files: b7df3c0ff912856357144c08e3f7b5ca 2639 editors optional neovim_0.3.4-3.dsc 381c3d4d41720d420dec4e0d8b71996f 26884 editors optional neovim_0.3.4-3.debian.tar.xz b9e96215f900b27e988793b8467b8587 8218 editors optional neovim_0.3.4-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKSBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAl0UIJtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIACgkQ3+aRrjMb o9sxTQ/2OGjnJNnlDyOQeYBQO+4KOxfBLyEI0Nc3JejAqBGt37AYu1fQcl7uetDm G7DkC/vOfZzCV98h0R+VOAj/2KszTXu7oKNyJbNXmW0mqqH66VaiJMWtQgwTqfyE rJS6rUY7Hnx9x4LF/fv85W0jM0/SrTTEC0knHLRxlwUe7VUf1zeKueOT0yg+Tpcx oz2lWWK4foa4Nja/7/HvW3DSQiSzofZoCa5uKugcO5RPrpBrPBC90fSAKsACtlz1 DP1MpympljqqBBx26/91eM28vLQJZPpN82KZW5CTVgp56z8EPmyuQf8IOHFAKqOe NM8bYz0C3uGceyMXzVMOnLIKUQ0nb44pj+SBkDkGGXCq1P5NBuI3cZ0Uexz3SMeW GIDtVuyQFp7uHqZXViC8QQlrqeubZdK7+GkkDXPGEcG4ETdppyo047wv7Evk6TmZ 12ElUwmeX5We/78ZqbWZQjKW6EAx7fCS8eQh13In5SKtZJxRIkKly4tSpgdMpHdb wlYoV/KeukSX5VbVjm6XMFzCVhQ0tpG5TN1cFT0TwS+dzqpED7GORBhfw0y4MQeH 4rXnU+m5ll2HzrCnlPs0u++QeMk+8gxiBfi+OTAYqbEkqo5l7gUJbX13rVziaakO Ra+Dp1aREA7/U0D0Ju6kXu+cX9CCH5SHu4YHVmmZOI+M8y4H1w== =H36Y -----END PGP SIGNATURE-----
--- End Message ---
