CVE-2019-12735

Priority
Description
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source! command in a
modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input
in Neovim.
Notes
 leosilva> neither precise/esm or trusty/esm seems to be
 leosilva> affected. The POC was not reproducible in these
 leosilva> releases
Assigned-to
leosilva
Package
Upstream:released (0.3.6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 18.10 (Cosmic Cuttlefish):released (0.3.1-1ubuntu0.1)
Ubuntu 19.04 (Disco Dingo):released (0.3.4-1ubuntu0.19.04.1)
Ubuntu 19.10 (Eoan):not-affected (0.3.4-2)
Package
Source: vim (LP Ubuntu Debian)
Upstream:released (8.1.1365)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):released (2:7.4.1689-3ubuntu1.3)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:8.0.1453-1ubuntu1.1)
Ubuntu 18.10 (Cosmic Cuttlefish):released (2:8.0.1766-1ubuntu1.1)
Ubuntu 19.04 (Disco Dingo):released (2:8.1.0320-1ubuntu3.1)
Ubuntu 19.10 (Eoan):released (2:8.1.0875-4ubuntu1)
More Information

Updated: 2019-06-25 14:14:23 UTC (commit fb4c4360fd0a8fb944c65030df15e42a767b5ff2)