CVE-2019-12735

Priority
Description
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source! command in a
modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input
in Neovim.
Ubuntu-Description
It was discovered that Vim incorrectly handled certain files. An attacker
could possibly use this issue to execute arbitrary code.
Assigned-to
leosilva
Notes
leosilvaneither precise/esm or trusty/esm seems to be
affected. The POC was not reproducible in these
releases
Package
Upstream:released (0.3.6)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):released (0.3.4-1ubuntu0.19.04.1)
Ubuntu 19.10 (Eoan Ermine):not-affected (0.3.4-2)
Ubuntu 20.04 (Focal Fossa):not-affected (0.3.4-2)
Package
Source: vim (LP Ubuntu Debian)
Upstream:released (8.1.1365)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):released (2:7.4.1689-3ubuntu1.3)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:8.0.1453-1ubuntu1.1)
Ubuntu 19.04 (Disco Dingo):released (2:8.1.0320-1ubuntu3.1)
Ubuntu 19.10 (Eoan Ermine):released (2:8.1.0875-4ubuntu1)
Ubuntu 20.04 (Focal Fossa):released (2:8.1.0875-4ubuntu1)
More Information

Updated: 2019-12-05 19:59:25 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)