Debian Bug report logs - #212696
vim: modelines seem to be broken

version graph

Package: vim; Maintainer for vim is Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>; Source for vim is src:vim.

Reported by: Martin Michlmayr <tbm@cyrius.com>

Date: Thu, 25 Sep 2003 11:48:01 UTC

Severity: normal

Found in version 1:6.2-098+3

Fixed in version vim/1:6.2-106+1

Done: Norbert Tretkowski <nobse@debian.org>

Bug is archived. No further changes may be made.

Forwarded to vim-dev@vim.org

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Luca Filipozzi <lfilipoz@debian.org>:
Bug#212696; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Martin Michlmayr <tbm@cyrius.com>:
New Bug report received and forwarded. Copy sent to Luca Filipozzi <lfilipoz@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vim: modelines seem to be broken
Date: Thu, 25 Sep 2003 21:39:29 +1000
Package: vim
Version: 1:6.2-098+3
Severity: normal

I have the following lines at the end of various Python and Perl
scripts:

# vim:set ts=4:
# vim:set expandtab:
# vim:set shiftwidth=4:


Previously, this worked; however, these modelines (any others) don't
work anymore with current vim.  According to options.txt.gz, section
*auto-setting* they are still valid modelines.

The only theory I have is that the "modelines" option is turned off by
default now.  options.txt.gz says:

 >3. If you start editing a new file, and the 'modeline' option is on,
 >[...]

However, explicitly setting "set modeline" in my ~/.vimrc doesn't
change anything; so it really seems this is broken in current vim.



-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux deprecation 2.4.22-1-686 #1 Fri Sep 5 23:04:29 EST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages vim depends on:
ii  dpkg                      1.10.15        Package maintenance system for Deb
ii  libc6                     2.3.2-8        GNU C Library: Shared libraries an
ii  libgpmg1                  1.19.6-12.1    General Purpose Mouse Library [lib
ii  libncurses5               5.3.20030719-2 Shared libraries for terminal hand

-- no debconf information


-- 
Martin Michlmayr
tbm@cyrius.com



Noted your statement that Bug has been forwarded to vim-dev@vim.org. Request was from Norbert Tretkowski <tretkowski@inittab.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luca Filipozzi <lfilipoz@debian.org>:
Bug#212696; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Martin Michlmayr <tbm@cyrius.com>:
Extra info received and forwarded to list. Copy sent to Luca Filipozzi <lfilipoz@debian.org>. Full text and rfc822 format available.

Message #12 received at 212696@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: Bram Moolenaar <Bram@moolenaar.net>
Cc: Norbert Tretkowski <tretkowski@inittab.de>, vim-dev@vim.org, 212696@bugs.debian.org
Subject: Re: [tbm@cyrius.com: Bug#212696: vim: modelines seem to be broken]
Date: Sun, 28 Sep 2003 04:54:02 +1000
* Bram Moolenaar <Bram@moolenaar.net> [2003-09-27 20:24]:
> What does ":verbose set modeline?" say?

  modeline
        Last set from /usr/share/vim/vimrc

/usr/share/vim/vimrc contains:
" Prevent modelines in files from being evaluated (avoids a potential
" security problem wherein a malicious user could write a hazardous
" modeline into a file) (override default value of 5)
set modelines=0


Putting "set modelines=5" in my ~/.vimrc works, so it looks as if
setting this to 0 by default is a bit too aggressive.
-- 
Martin Michlmayr
tbm@cyrius.com



Information forwarded to debian-bugs-dist@lists.debian.org, Luca Filipozzi <lfilipoz@debian.org>:
Bug#212696; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Norbert Tretkowski <tretkowski@inittab.de>:
Extra info received and forwarded to list. Copy sent to Luca Filipozzi <lfilipoz@debian.org>. Full text and rfc822 format available.

Message #17 received at 212696@bugs.debian.org (full text, mbox):

From: Norbert Tretkowski <tretkowski@inittab.de>
To: Martin Michlmayr <tbm@cyrius.com>, 212696@bugs.debian.org
Subject: Re: Bug#212696: vim: modelines seem to be broken
Date: Sat, 27 Sep 2003 21:20:33 +0200
* Martin Michlmayr <tbm@cyrius.com> wrote:
> However, explicitly setting "set modeline" in my ~/.vimrc doesn't
> change anything; so it really seems this is broken in current vim.

This is not a real bug. From /etc/vim/vimrc:

,----
| " Prevent modelines in files from being evaluated (avoids a potential
| " security problem wherein a malicious user could write a hazardous
| " modeline into a file) (override default value of 5)
| set modelines=0
`----

I decided not to change this, the comment in the file speaks for
itself.

I'm adding a note to README.Debian.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#212696; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Luca Filipozzi <lfilipoz@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #22 received at 212696@bugs.debian.org (full text, mbox):

From: Luca Filipozzi <lfilipoz@debian.org>
To: Norbert Tretkowski <tretkowski@inittab.de>, 212696@bugs.debian.org
Cc: Martin Michlmayr <tbm@cyrius.com>
Subject: Re: Bug#212696: vim: modelines seem to be broken
Date: Sat, 27 Sep 2003 12:36:24 -0700
On Sat, Sep 27, 2003 at 09:20:33PM +0200, Norbert Tretkowski wrote:
> * Martin Michlmayr <tbm@cyrius.com> wrote:
> > However, explicitly setting "set modeline" in my ~/.vimrc doesn't
> > change anything; so it really seems this is broken in current vim.
> 
> This is not a real bug. From /etc/vim/vimrc:
> 
> ,----
> | " Prevent modelines in files from being evaluated (avoids a potential
> | " security problem wherein a malicious user could write a hazardous
> | " modeline into a file) (override default value of 5)
> | set modelines=0
> `----
> 
> I decided not to change this, the comment in the file speaks for
> itself.
> 
> I'm adding a note to README.Debian.

There has been some debate regarding this change.  Later versions of
vim, including the 6.2 family, have fixes for the modeline
vulnerability, so it begs the question as to whether setting modelines
to zero is of continued value.

Luca

-- 
Luca Filipozzi
"Linux gives us the power to crush those that oppose us." - switchlinux
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D



Information forwarded to debian-bugs-dist@lists.debian.org, Luca Filipozzi <lfilipoz@debian.org>:
Bug#212696; Package vim. Full text and rfc822 format available.

Acknowledgement sent to Bram Moolenaar <Bram@moolenaar.net>:
Extra info received and forwarded to list. Copy sent to Luca Filipozzi <lfilipoz@debian.org>. Full text and rfc822 format available.

Message #27 received at 212696@bugs.debian.org (full text, mbox):

From: Bram Moolenaar <Bram@moolenaar.net>
To: Martin Michlmayr <tbm@cyrius.com>
Cc: Norbert Tretkowski <tretkowski@inittab.de>, vim-dev@vim.org, 212696@bugs.debian.org
Subject: Re: [tbm@cyrius.com: Bug#212696: vim: modelines seem to be broken]
Date: Sat, 27 Sep 2003 22:08:40 +0200
Martin Michlmayr wrote:

> * Bram Moolenaar <Bram@moolenaar.net> [2003-09-27 20:24]:
> > What does ":verbose set modeline?" say?
> 
>   modeline
>         Last set from /usr/share/vim/vimrc
> 
> /usr/share/vim/vimrc contains:
> " Prevent modelines in files from being evaluated (avoids a potential
> " security problem wherein a malicious user could write a hazardous
> " modeline into a file) (override default value of 5)
> set modelines=0
> 
> 
> Putting "set modelines=5" in my ~/.vimrc works, so it looks as if
> setting this to 0 by default is a bit too aggressive.

Well, that explains it.

That Debian choses to disable using modelines is their choice.  But they
should be aware that users will get confused, since the documentation
mentions it's on by default.

At least do ":set nomodeline" instead of setting 'modelines' to zero,
that confuses Vim users, as this bug report has confirmed.  You better
leave 'modelines' alone, I don't see a reason to change its value even
if you don't want to use modelines.

-- 
Micro$oft: where do you want to go today?
    Linux: where do you want to go tomorrow?
  FreeBSD: are you guys coming, or what?

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///          Creator of Vim - Vi IMproved -- http://www.Vim.org          \\\
\\\              Project leader for A-A-P -- http://www.A-A-P.org        ///
 \\\  Help AIDS victims, buy here: http://ICCF-Holland.org/click1.html  ///



Reply sent to Norbert Tretkowski <nobse@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Michlmayr <tbm@cyrius.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 212696-close@bugs.debian.org (full text, mbox):

From: Norbert Tretkowski <nobse@debian.org>
To: 212696-close@bugs.debian.org
Subject: Bug#212696: fixed in vim 1:6.2-106+1
Date: Mon, 06 Oct 2003 02:08:20 -0400
Source: vim
Source-Version: 1:6.2-106+1

We believe that the bug you reported is fixed in the latest version of
vim, which is due to be installed in the Debian FTP archive:

vim-doc_6.2-106+1_all.deb
  to pool/main/v/vim/vim-doc_6.2-106+1_all.deb
vim-gnome_6.2-106+1_i386.deb
  to pool/main/v/vim/vim-gnome_6.2-106+1_i386.deb
vim-gtk_6.2-106+1_i386.deb
  to pool/main/v/vim/vim-gtk_6.2-106+1_i386.deb
vim-perl_6.2-106+1_i386.deb
  to pool/main/v/vim/vim-perl_6.2-106+1_i386.deb
vim-python_6.2-106+1_i386.deb
  to pool/main/v/vim/vim-python_6.2-106+1_i386.deb
vim-ruby_6.2-106+1_i386.deb
  to pool/main/v/vim/vim-ruby_6.2-106+1_i386.deb
vim-tcl_6.2-106+1_i386.deb
  to pool/main/v/vim/vim-tcl_6.2-106+1_i386.deb
vim_6.2-106+1.diff.gz
  to pool/main/v/vim/vim_6.2-106+1.diff.gz
vim_6.2-106+1.dsc
  to pool/main/v/vim/vim_6.2-106+1.dsc
vim_6.2-106+1_i386.deb
  to pool/main/v/vim/vim_6.2-106+1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 212696@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <nobse@debian.org> (supplier of updated vim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 27 Sep 2003 23:26:43 +0200
Source: vim
Binary: vim-perl vim-ruby vim-doc vim-gnome vim-python vim-tcl vim vim-gtk
Architecture: source i386 all
Version: 1:6.2-106+1
Distribution: unstable
Urgency: low
Maintainer: Luca Filipozzi <lfilipoz@debian.org>
Changed-By: Norbert Tretkowski <nobse@debian.org>
Description: 
 vim        - Vi IMproved - enhanced vi editor
 vim-doc    - Vi IMproved - Documentation files
 vim-gnome  - Vi IMproved - GTK2 Version
 vim-gtk    - Vi IMproved - GTK2 Version
 vim-perl   - Vi IMproved, with perl scripting support
 vim-python - Vi IMproved, with python scripting support
 vim-ruby   - Vi IMproved, with ruby scripting support
 vim-tcl    - Vi IMproved, with tcl scripting support
Closes: 212696 213032
Changes: 
 vim (1:6.2-106+1) unstable; urgency=low
 .
   * new upstream patches (99 to 106), see README.gz for details
   * added a note to README.Debian about new modeline behaviour
     (closes: #212696)
   * helpztags update, fixes production of tag files in improper format which
     vim can't understand (closes: #213032)
   * temporary disabled copying debian/vim-install into vim package, waiting
     for an update (see #213034 for details)
   * changed package priority from optional to extra
Files: 
 2842beb7fe2bbac99e97270874bfb4c3 936 editors extra vim_6.2-106+1.dsc
 8b3ee25f28cc5ff2bd5b04a80099ed1e 161834 editors extra vim_6.2-106+1.diff.gz
 386965927c80ef4820c5eafd4e3430f6 1547800 editors extra vim-doc_6.2-106+1_all.deb
 38f544b128da256842caeeab26d897ca 3762148 editors extra vim_6.2-106+1_i386.deb
 44d8c194a458fd207e47181d0275e164 691748 editors extra vim-perl_6.2-106+1_i386.deb
 7886f732e50004d21e873bd8dd54f8ef 684834 editors extra vim-python_6.2-106+1_i386.deb
 9adcfeb431029735130eb6cf66759e05 680826 editors extra vim-ruby_6.2-106+1_i386.deb
 8af5f0e37ff405c06216ec7df14b0b6c 684912 editors extra vim-tcl_6.2-106+1_i386.deb
 a0db60702d61d2dbe9b8724ba91d3511 711738 editors extra vim-gtk_6.2-106+1_i386.deb
 4b9016f4a10c60c16f33f27e12674f5e 713952 editors extra vim-gnome_6.2-106+1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/dgg/r/RnCw96jQERAo5MAJsGx+URDbYjF4n3enA5n+6DR92LnQCcCJQV
F9W5lIYcyMxxE9s1g971Sxk=
=u4Hw
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:20:19 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.