Hi, Here's a patch to fix a recently found arbitrary code execution bug in neovim. It affects regular vim too, so CC sthen@.
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md I was alerted to this by solene@ on mastodon. Thanks! Maybe worth pushing to -stable too? (I see that there is a new neovim -- will port soon). OK? Index: Makefile =================================================================== RCS file: /cvs/ports/editors/neovim/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- Makefile 20 May 2019 22:15:08 -0000 1.15 +++ Makefile 6 Jun 2019 15:32:31 -0000 @@ -5,7 +5,7 @@ COMMENT = continuation and extension of GH_ACCOUNT = neovim GH_PROJECT = neovim GH_TAGNAME = v0.3.4 -REVISION = 0 +REVISION = 1 CATEGORIES = editors devel HOMEPAGE = http://neovim.org Index: patches/patch-src_nvim_getchar_c =================================================================== RCS file: patches/patch-src_nvim_getchar_c diff -N patches/patch-src_nvim_getchar_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_nvim_getchar_c 6 Jun 2019 15:52:58 -0000 @@ -0,0 +1,25 @@ +$OpenBSD$ + +Security patch: Source command doesn't check for the sandbox. +https://github.com/neovim/neovim/pull/10082 + +Detailed description: +https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md + +Index: src/nvim/getchar.c +--- src/nvim/getchar.c.orig ++++ src/nvim/getchar.c +@@ -1244,6 +1244,13 @@ openscript ( + EMSG(_(e_nesting)); + return; + } ++ ++ // Disallow sourcing a file in the sandbox, the commands would be executed ++ // later, possibly outside of the sandbox. ++ if (check_secure()) { ++ return; ++ } ++ + if (ignore_script) + /* Not reading from script, also don't open one. Warning message? */ + return; -- Best Regards Edd Barrett http://www.theunixzoo.co.uk
