Security Information / 2019 / Security Information -- DSA-4467-1 vim

Debian Security Advisory

DSA-4467-1 vim -- security update

Date Reported:

18 Jun 2019

Affected Packages:

vim

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-12735.

More information:

User Arminius discovered a vulnerability in Vim, an enhanced version of the standard UNIX editor Vi (Vi IMproved). The Common vulnerabilities and exposures project identifies the following problem:

Editors typically provide a way to embed editor configuration commands (aka modelines) which are executed once a file is opened, while harmful commands are filtered by a sandbox mechanism. It was discovered that the source command (used to include and execute another file) was not filtered, allowing shell command execution with a carefully crafted file opened in Vim.

For the stable distribution (stretch), this problem has been fixed in version 2:8.0.0197-4+deb9u2.

We recommend that you upgrade your vim packages.

For the detailed security status of vim please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vim