Debian Bug report logs - #930024
neovim: CVE-2019-12735: Modelines allow arbitrary code execution

version graph

Package: src:neovim; Maintainer for src:neovim is Debian Vim Maintainers <team+vim@tracker.debian.org>;

Reported by: Matthew Crews <mattcrews@mattcrews.com>

Date: Wed, 5 Jun 2019 10:18:01 UTC

Severity: serious

Tags: security, upstream

Found in versions neovim/0.1.7-4, neovim/0.3.4-2

Fixed in versions neovim/0.3.4-3, neovim/0.1.7-4+deb9u1

Done: James McCoy <jamessan@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, mattcrews@mattcrews.com, Debian Vim Maintainers <team+vim@tracker.debian.org>:
Bug#930024; Package src:neovim. (Wed, 05 Jun 2019 10:18:04 GMT) (full text, mbox, link).


Acknowledgement sent to Matthew Crews <mattcrews@mattcrews.com>:
New Bug report received and forwarded. Copy sent to mattcrews@mattcrews.com, Debian Vim Maintainers <team+vim@tracker.debian.org>. (Wed, 05 Jun 2019 10:18:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Matthew Crews <mattcrews@mattcrews.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: neovim: Arbitrary Code Execution exploit on all neovim versions < 0.3.6 via modelines
Date: Wed, 05 Jun 2019 03:14:43 -0700
Source: neovim
Severity: important
Tags: upstream

Dear Maintainer,

Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via
modelines, as described in this blogpost:

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-
neovim.md

Upgrading the Neovim package to >= 0.3.6 fixes this exploit.



-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled



Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 05 Jun 2019 10:24:10 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <team+vim@tracker.debian.org>:
Bug#930024; Package src:neovim. (Wed, 05 Jun 2019 13:36:04 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <team+vim@tracker.debian.org>. (Wed, 05 Jun 2019 13:36:04 GMT) (full text, mbox, link).


Message #12 received at 930024@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Matthew Crews <mattcrews@mattcrews.com>, 930024@bugs.debian.org
Subject: Re: Bug#930024: neovim: Arbitrary Code Execution exploit on all neovim versions < 0.3.6 via modelines
Date: Wed, 5 Jun 2019 15:33:23 +0200
Control: retitle neovim: CVE-2019-12735: Modelines allow arbitrary code execution

On Wed, Jun 05, 2019 at 03:14:43AM -0700, Matthew Crews wrote:
> Source: neovim
> Severity: important
> Tags: upstream
> 
> Dear Maintainer,
> 
> Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via
> modelines, as described in this blogpost:
> 
> https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-
> neovim.md
> 
> Upgrading the Neovim package to >= 0.3.6 fixes this exploit.

MITRE assigned CVE-2019-12735 for this issue.

Regards,
Salvatore



Changed Bug title to 'neovim: CVE-2019-12735: Modelines allow arbitrary code execution' from 'neovim: Arbitrary Code Execution exploit on all neovim versions < 0.3.6 via modelines'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 05 Jun 2019 13:42:04 GMT) (full text, mbox, link).


Marked as found in versions neovim/0.1.7-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 05 Jun 2019 14:30:02 GMT) (full text, mbox, link).


Message sent on to Matthew Crews <mattcrews@mattcrews.com>:
Bug#930024. (Thu, 06 Jun 2019 01:54:03 GMT) (full text, mbox, link).


Message #19 received at 930024-submitter@bugs.debian.org (full text, mbox, reply):

From: James McCoy <noreply@salsa.debian.org>
To: 930024-submitter@bugs.debian.org
Subject: Bug#930024 marked as pending in neovim
Date: Thu, 06 Jun 2019 01:50:56 +0000
Control: tag -1 pending

Hello,

Bug #930024 in neovim reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/vim-team/neovim/commit/2a78d21a5c523473e15f681c895d7e537acdaa1d

------------------------------------------------------------------------
vim-patch:8.1.1365: :source should check sandbox #10082

Problem:    Source command doesn't check for the sandbox. (Armin Razmjou)
Solution:   Check for the sandbox when sourcing a file.
https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040

(cherry picked from commit 4553fc5e6cb6c8c43f57c173d01b31a61e51d13f)

Signed-off-by: James McCoy <jamessan@debian.org>
Closes: CVE-2019-12735
Closes: #930024
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/930024



Added tag(s) pending. Request was from James McCoy <noreply@salsa.debian.org> to 930024-submitter@bugs.debian.org. (Thu, 06 Jun 2019 01:54:03 GMT) (full text, mbox, link).


Reply sent to James McCoy <jamessan@debian.org>:
You have taken responsibility. (Thu, 06 Jun 2019 02:54:04 GMT) (full text, mbox, link).


Notification sent to Matthew Crews <mattcrews@mattcrews.com>:
Bug acknowledged by developer. (Thu, 06 Jun 2019 02:54:04 GMT) (full text, mbox, link).


Message #26 received at 930024-close@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>
To: 930024-close@bugs.debian.org
Subject: Bug#930024: fixed in neovim 0.3.4-2
Date: Thu, 06 Jun 2019 02:50:58 +0000
Source: neovim
Source-Version: 0.3.4-2

We believe that the bug you reported is fixed in the latest version of
neovim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930024@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated neovim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 05 Jun 2019 21:38:14 -0400
Source: neovim
Architecture: source
Version: 0.3.4-2
Distribution: unstable
Urgency: high
Maintainer: Debian Vim Maintainers <team+vim@tracker.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Closes: 930024
Changes:
 neovim (0.3.4-2) unstable; urgency=high
 .
   [ Efraim Flashner ]
   * don't use luajit on powerpc
 .
   [ James McCoy ]
   * Use the system allocator instead of jemalloc
 .
   [ Justin M. Keyes ]
   * vim-patch:8.1.1365: :source should check sandbox (Closes: #930024,
     CVE-2019-12735)
Checksums-Sha1:
 93dd0b95fc0512e5aa8e2af4efab9450a98a9088 2639 neovim_0.3.4-2.dsc
 b81776ea44b99563f38fbdfb70a05a64dce0f769 14008 neovim_0.3.4-2.debian.tar.xz
 832e78f6f1f8b286641b206e8351daf139a25278 8227 neovim_0.3.4-2_amd64.buildinfo
Checksums-Sha256:
 e41be60438cc704da61599fb38f88e410708bac7fe5691fd1a59e5b49a1edcd5 2639 neovim_0.3.4-2.dsc
 fad6ddbafa6d989851e6d981fad7a7ce0acd3195f5caf26fee13acbf6889bbfe 14008 neovim_0.3.4-2.debian.tar.xz
 4b1a2cdfdfd32da86efd5ed2eb75e59c1d71c9f4b6745cb80af3f02bb6017583 8227 neovim_0.3.4-2_amd64.buildinfo
Files:
 5008c746ee438cb51b9ef3b23abdb823 2639 editors optional neovim_0.3.4-2.dsc
 08c07fcf8c1978b943274bf4ca586995 14008 editors optional neovim_0.3.4-2.debian.tar.xz
 eb5e6aa7a5f3579a6d7b208f6658f11b 8227 editors optional neovim_0.3.4-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAlz4c9tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIACgkQ3+aRrjMb
o9uVHw//Vlu09KMjIVpU1lQeCqZBBSga/qZwAb7Q6EmOAwVP/wLX01q4eIv/gaXq
+i2hN6HsZKoXvIRderIpTzV5dU/Kk80fHOhRr8O2KBVjz8XzuLpoJo9AklXiRQPu
XrBAnoUd6+hbz1PMSORyEwp8kh06Zf4n2WKhg/5OQWRRu9TlEk1sm51TMZPKfT46
lwEw7Ll7b2ocv5bHyP9ZZKXrKkwZ0qpbA6JDCV6LTnn7zwhiM9IxSth4tvnlUq8c
yJkgTd5piKX3tRawQhZv7q382dLFrid2kVbUXtaLRWrHA6iL7JLyv4xlx6NBI4ZK
HrmF1Zd6AlX4D3yQUCIV1lBaNKmDDVv30FWB79BAie9sXWTIFdwRxAS6/Pm0rfBj
CLHQn7H5+GpcyH1gvyRbHjRca/7r4fjY+yZimWubC8udUVg3V1FL/eOEXdjvlwx9
d7zNhy85eYDbzEohzf4mjim10hoUjqSTr3MqokGzc9qACx98ak31OjJL4MR7dmxL
bhHq3HOsKbBxZcvcjtni1kSftNnxLoM7YgJM57Kb9GnBH4LRwWQP75ViMag2a3/6
T8v7Rk5rqrLtlNdo0h/ZNPDmJJA4oNmej/mGScZ26uEXiIMR/2lAOhmrbL6767wK
pzmsQhRgDge8JTbwN6UPTrbDX+w0nHq/L655csE+jnrDGRheK0s=
=oeIP
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <team+vim@tracker.debian.org>:
Bug#930024; Package src:neovim. (Fri, 07 Jun 2019 01:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to James McCoy <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <team+vim@tracker.debian.org>. (Fri, 07 Jun 2019 01:33:03 GMT) (full text, mbox, link).


Message #31 received at 930024@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 930024@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#930024: neovim: Arbitrary Code Execution exploit on all neovim versions < 0.3.6 via modelines
Date: Thu, 6 Jun 2019 21:29:14 -0400
[Message part 1 (text/plain, inline)]
Control: found -1 0.3.4-2

On Wed, Jun 05, 2019 at 03:33:23PM +0200, Salvatore Bonaccorso wrote:
> Control: retitle neovim: CVE-2019-12735: Modelines allow arbitrary code execution
> 
> On Wed, Jun 05, 2019 at 03:14:43AM -0700, Matthew Crews wrote:
> > Source: neovim
> > Severity: important
> > Tags: upstream
> > 
> > Dear Maintainer,
> > 
> > Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via
> > modelines, as described in this blogpost:
> > 
> > https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-
> > neovim.md
> > 
> > Upgrading the Neovim package to >= 0.3.6 fixes this exploit.
> 
> MITRE assigned CVE-2019-12735 for this issue.

This isn't actually fixed in upstream's 0.3.6, as it's missing a few
prerequisite patches.  They were merged to neovim's master branch, but
not the release branch.

The simple test that was part of Vim's patch for this problem was
blocked, but not a slightly more involved scenario.

Working with upstream to get that fixed and will update the Debian
package as well.

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions neovim/0.3.4-2; no longer marked as fixed in versions neovim/0.3.4-2 and reopened. Request was from James McCoy <jamessan@debian.org> to 930024-submit@bugs.debian.org. (Fri, 07 Jun 2019 01:33:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <team+vim@tracker.debian.org>:
Bug#930024; Package src:neovim. (Fri, 07 Jun 2019 05:54:02 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <team+vim@tracker.debian.org>. (Fri, 07 Jun 2019 05:54:02 GMT) (full text, mbox, link).


Message #38 received at 930024@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: James McCoy <jamessan@debian.org>
Cc: 930024@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#930024: neovim: Arbitrary Code Execution exploit on all neovim versions < 0.3.6 via modelines
Date: Fri, 7 Jun 2019 07:51:19 +0200
Hi James,

On Thu, Jun 06, 2019 at 09:29:14PM -0400, James McCoy wrote:
> Control: found -1 0.3.4-2
> 
> On Wed, Jun 05, 2019 at 03:33:23PM +0200, Salvatore Bonaccorso wrote:
> > Control: retitle neovim: CVE-2019-12735: Modelines allow arbitrary code execution
> > 
> > On Wed, Jun 05, 2019 at 03:14:43AM -0700, Matthew Crews wrote:
> > > Source: neovim
> > > Severity: important
> > > Tags: upstream
> > > 
> > > Dear Maintainer,
> > > 
> > > Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via
> > > modelines, as described in this blogpost:
> > > 
> > > https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-
> > > neovim.md
> > > 
> > > Upgrading the Neovim package to >= 0.3.6 fixes this exploit.
> > 
> > MITRE assigned CVE-2019-12735 for this issue.
> 
> This isn't actually fixed in upstream's 0.3.6, as it's missing a few
> prerequisite patches.  They were merged to neovim's master branch, but
> not the release branch.
> 
> The simple test that was part of Vim's patch for this problem was
> blocked, but not a slightly more involved scenario.
> 
> Working with upstream to get that fixed and will update the Debian
> package as well.

Ack! Thanks for the status update.

Rgards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Vim Maintainers <team+vim@tracker.debian.org>:
Bug#930024; Package src:neovim. (Wed, 12 Jun 2019 20:09:06 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Vim Maintainers <team+vim@tracker.debian.org>. (Wed, 12 Jun 2019 20:09:06 GMT) (full text, mbox, link).


Message #43 received at 930024@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 930024@bugs.debian.org
Cc: James McCoy <jamessan@debian.org>, team@security.debian.org
Subject: Re: Bug#930024: neovim: Arbitrary Code Execution exploit on all neovim versions < 0.3.6 via modelines
Date: Wed, 12 Jun 2019 22:07:37 +0200
Control: severity -1 serious

On Fri, Jun 07, 2019 at 07:51:19AM +0200, Salvatore Bonaccorso wrote:
> Hi James,
> 
> On Thu, Jun 06, 2019 at 09:29:14PM -0400, James McCoy wrote:
> > Control: found -1 0.3.4-2
> > 
> > On Wed, Jun 05, 2019 at 03:33:23PM +0200, Salvatore Bonaccorso wrote:
> > > Control: retitle neovim: CVE-2019-12735: Modelines allow arbitrary code execution
> > > 
> > > On Wed, Jun 05, 2019 at 03:14:43AM -0700, Matthew Crews wrote:
> > > > Source: neovim
> > > > Severity: important
> > > > Tags: upstream
> > > > 
> > > > Dear Maintainer,
> > > > 
> > > > Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via
> > > > modelines, as described in this blogpost:
> > > > 
> > > > https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-
> > > > neovim.md
> > > > 
> > > > Upgrading the Neovim package to >= 0.3.6 fixes this exploit.
> > > 
> > > MITRE assigned CVE-2019-12735 for this issue.
> > 
> > This isn't actually fixed in upstream's 0.3.6, as it's missing a few
> > prerequisite patches.  They were merged to neovim's master branch, but
> > not the release branch.
> > 
> > The simple test that was part of Vim's patch for this problem was
> > blocked, but not a slightly more involved scenario.
> > 
> > Working with upstream to get that fixed and will update the Debian
> > package as well.
> 
> Ack! Thanks for the status update.

Raising the severity here to RC, as this should ideally be adressed
before the buster release in buster.

Regards,
Salvatore



Severity set to 'serious' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to 930024-submit@bugs.debian.org. (Wed, 12 Jun 2019 20:09:06 GMT) (full text, mbox, link).


Reply sent to James McCoy <jamessan@debian.org>:
You have taken responsibility. (Thu, 27 Jun 2019 03:03:03 GMT) (full text, mbox, link).


Notification sent to Matthew Crews <mattcrews@mattcrews.com>:
Bug acknowledged by developer. (Thu, 27 Jun 2019 03:03:03 GMT) (full text, mbox, link).


Message #50 received at 930024-close@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>
To: 930024-close@bugs.debian.org
Subject: Bug#930024: fixed in neovim 0.3.4-3
Date: Thu, 27 Jun 2019 02:59:59 +0000
Source: neovim
Source-Version: 0.3.4-3

We believe that the bug you reported is fixed in the latest version of
neovim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930024@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated neovim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 26 Jun 2019 21:21:33 -0400
Source: neovim
Architecture: source
Version: 0.3.4-3
Distribution: unstable
Urgency: high
Maintainer: Debian Vim Maintainers <team+vim@tracker.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Closes: 930024
Changes:
 neovim (0.3.4-3) unstable; urgency=high
 .
   * Backport additional changes to address CVE-2019-12735 (Closes: #930024)
     + vim-patch:8.1.0177: defining function in sandbox is inconsistent
     + vim-patch:8.1.0189: function defined in sandbox not tested
     + vim-patch:8.1.0538: evaluating a modeline might invoke using a shell
       command
     + vim-patch:8.1.0539: cannot build without the sandbox
     + vim-patch:8.1.0540: may evaluate insecure value when appending to option
     + vim-patch:8.1.0544: setting 'filetype' in a modeline causes an error
     + vim-patch:8.1.0613: when executing an insecure function the secure flag
       is stuck
     + vim-patch:8.1.1046: the "secure" variable is used inconsistently
     + vim-patch:8.1.0205: invalid memory access with invalid modeline
     + vim-patch:8.1.0206: duplicate test function name
     + vim-patch:8.1.0506: modeline test fails when run by root
     + vim-patch:8.1.0546: modeline test with keymap fails
     + vim-patch:8.1.0547: modeline test with keymap still fails
     + vim-patch:8.1.1366: using expressions in a modeline is unsafe
     + vim-patch:8.1.1367: can set 'modelineexpr' in modeline
     + vim-patch:8.1.1368: modeline test fails with python but without
       pythonhome
     + vim-patch:8.1.1382: error when editing test file
     + vim-patch:8.1.1401: misspelled mkspellmem as makespellmem
   * Backport patch to prevent use of nvim's API within the sandbox
Checksums-Sha1:
 2b469eb20f9c15a791f55f880b795fae43cb1e2a 2639 neovim_0.3.4-3.dsc
 92e3dc08924e1554fe78e592433b1b598f3b0296 26884 neovim_0.3.4-3.debian.tar.xz
 be038d319b0e6cbead906a4c39ba9db1b21cf5af 8218 neovim_0.3.4-3_amd64.buildinfo
Checksums-Sha256:
 317fddb847548883de032b71c8923e79ba03568e14285cd78077cf22ead8230a 2639 neovim_0.3.4-3.dsc
 aea5b17551716f438a0a061c027850f0ec09b0b36cc0c37b4055703e06b4f9b6 26884 neovim_0.3.4-3.debian.tar.xz
 b000ccded8321f145249b904bd199a4b294cabf6bbbded621eb0179ba6083e6a 8218 neovim_0.3.4-3_amd64.buildinfo
Files:
 b7df3c0ff912856357144c08e3f7b5ca 2639 editors optional neovim_0.3.4-3.dsc
 381c3d4d41720d420dec4e0d8b71996f 26884 editors optional neovim_0.3.4-3.debian.tar.xz
 b9e96215f900b27e988793b8467b8587 8218 editors optional neovim_0.3.4-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKSBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAl0UIJtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIACgkQ3+aRrjMb
o9sxTQ/2OGjnJNnlDyOQeYBQO+4KOxfBLyEI0Nc3JejAqBGt37AYu1fQcl7uetDm
G7DkC/vOfZzCV98h0R+VOAj/2KszTXu7oKNyJbNXmW0mqqH66VaiJMWtQgwTqfyE
rJS6rUY7Hnx9x4LF/fv85W0jM0/SrTTEC0knHLRxlwUe7VUf1zeKueOT0yg+Tpcx
oz2lWWK4foa4Nja/7/HvW3DSQiSzofZoCa5uKugcO5RPrpBrPBC90fSAKsACtlz1
DP1MpympljqqBBx26/91eM28vLQJZPpN82KZW5CTVgp56z8EPmyuQf8IOHFAKqOe
NM8bYz0C3uGceyMXzVMOnLIKUQ0nb44pj+SBkDkGGXCq1P5NBuI3cZ0Uexz3SMeW
GIDtVuyQFp7uHqZXViC8QQlrqeubZdK7+GkkDXPGEcG4ETdppyo047wv7Evk6TmZ
12ElUwmeX5We/78ZqbWZQjKW6EAx7fCS8eQh13In5SKtZJxRIkKly4tSpgdMpHdb
wlYoV/KeukSX5VbVjm6XMFzCVhQ0tpG5TN1cFT0TwS+dzqpED7GORBhfw0y4MQeH
4rXnU+m5ll2HzrCnlPs0u++QeMk+8gxiBfi+OTAYqbEkqo5l7gUJbX13rVziaakO
Ra+Dp1aREA7/U0D0Ju6kXu+cX9CCH5SHu4YHVmmZOI+M8y4H1w==
=H36Y
-----END PGP SIGNATURE-----




Reply sent to James McCoy <jamessan@debian.org>:
You have taken responsibility. (Sat, 27 Jul 2019 23:21:07 GMT) (full text, mbox, link).


Notification sent to Matthew Crews <mattcrews@mattcrews.com>:
Bug acknowledged by developer. (Sat, 27 Jul 2019 23:21:07 GMT) (full text, mbox, link).


Message #55 received at 930024-close@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>
To: 930024-close@bugs.debian.org
Subject: Bug#930024: fixed in neovim 0.1.7-4+deb9u1
Date: Sat, 27 Jul 2019 23:17:36 +0000
Source: neovim
Source-Version: 0.1.7-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
neovim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 930024@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated neovim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 16 Jul 2019 01:05:10 -0400
Source: neovim
Architecture: source
Version: 0.1.7-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Vim Maintainers <pkg-vim-maintainers@lists.alioth.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Closes: 930024
Changes:
 neovim (0.1.7-4+deb9u1) stretch-security; urgency=high
 .
   * Backport upstream patches to address CVE-2019-12735 (Closes: #930024)
     + vim-patch-8.0.0649 and vim-patch-8.0.0650: autocmd open help 2 times
     + vim-patch:8.1.0066: nasty autocommand causes using freed memory
     + vim-patch:8.1.0067: syntax highlighting not working when re-entering a buffer
     + vim-patch:8.1.0177: defining function in sandbox is inconsistent
     + vim-patch:8.1.0189: function defined in sandbox not tested
     + vim-patch:8.1.0205: invalid memory access with invalid modeline
     + vim-patch:8.1.0506: modeline test fails when run by root
     + vim-patch:8.1.0538: evaluating a modeline might invoke using a shell command
     + vim-patch:8.1.0539: cannot build without the sandbox
     + vim-patch:8.1.0540: may evaluate insecure value when appending to option
     + vim-patch:8.1.0544: setting 'filetype' in a modeline causes an error
     + vim-patch:8.1.0546: modeline test with keymap fails
     + vim-patch:8.1.0547: modeline test with keymap still fails
     + vim-patch:8.1.0613: when executing an insecure function the secure flag is stuck
     + vim-patch:8.1.1046: the "secure" variable is used inconsistently
     + vim-patch:8.1.1365: :source should check sandbox
     + vim-patch:8.1.1366: using expressions in a modeline is unsafe
     + vim-patch:8.1.1367: can set 'modelineexpr' in modeline
     + vim-patch:8.1.1368: modeline test fails with python but without pythonhome
     + vim-patch:8.1.1382: error when editing test file
     + vim-patch:8.1.1401: misspelled mkspellmem as makespellmem
Checksums-Sha1:
 3fbc530c2c04e4d248b2d04c35bfdd04f1828924 2686 neovim_0.1.7-4+deb9u1.dsc
 be36bf8b80a37de7d2321fe9e8dc110331840006 7601279 neovim_0.1.7.orig.tar.gz
 7d48778fcb3fc7c4901a48fd66c3bef46333a5f5 36020 neovim_0.1.7-4+deb9u1.debian.tar.xz
 6d2551703b19ce8a8e22ca0d9c438e7c087e1d4e 8012 neovim_0.1.7-4+deb9u1_source.buildinfo
Checksums-Sha256:
 74aa8412d3403f335ce3ded2ca90d63970d661fc3564f3f3d46b487e0a2f4a46 2686 neovim_0.1.7-4+deb9u1.dsc
 d59b2e7d3e8756367bc8e3890fd5e1008e45f90e85c6a0f7d251b3889d756506 7601279 neovim_0.1.7.orig.tar.gz
 358d52252262e6d22b89a467b0bff305ceadf99abcc109ff3208f900bd5fec6e 36020 neovim_0.1.7-4+deb9u1.debian.tar.xz
 c0de4b237afc1edbe62611c0b83bb4b2024fd6665591e16f77cfab9319a37f4e 8012 neovim_0.1.7-4+deb9u1_source.buildinfo
Files:
 34feacd0d01ff0d507dc781087cb9a32 2686 editors extra neovim_0.1.7-4+deb9u1.dsc
 43b6ce7ff1c795acc2c4ac9d7e2ef9df 7601279 editors extra neovim_0.1.7.orig.tar.gz
 1bff0da302dd0fca8adf7ec05426c053 36020 editors extra neovim_0.1.7-4+deb9u1.debian.tar.xz
 f75432bbc5b540de72a91d5f1567d372 8012 editors extra neovim_0.1.7-4+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKoBAEBCgCSFiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAl02VnhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIUHGphbWVzc2Fu
QGRlYmlhbi5vcmcACgkQ3+aRrjMbo9vOVxAAjrse3+BS/ulNx/kSy3v8tbJYq88B
XNM22IbsN1CDbsCNByXnS8k0qzAoYl3xCWtVioG2+NEHqvQmPlfj4VD/3+OZdrWs
2KzkeF8OXXjJMqT+SgRHr66vfwXcQIzKewye1vBu0KVhTp/1sDmZWUdL4Di9+9JF
2UvRdVCA9LMPyfqOedK8GQfigwfMDob70sCAd2sPSvYqWg1g2Com6jKHKA48tLy8
eP5oLoJatOI5zg4Ym5Q9+Djhe8PumemqkTRrnNX6JCTxa5NRbkpj/H7BqUVKMhNt
kA69N1qAiVdPmeVE5YmdBG679qZF4/8FVctG7pIkcOq5vJQTIDIoQJ/sMC0BYCpQ
8W0aij0uNp3xHQhuep9DrAme2wACXMZZAJ4WqgJJ5l4lVhbRbQk9fAI7n/HcNWHU
C3YZWsb8uT25UsClkeUOjUqYG5KT5uavGieNZGPPWEY2kalenEl47FH5sTOZRuMm
huR7aKnC0nW19RWm85Oog5smz0aU5XncQd/qrfIbHqLhLhAxkvCLSVmr9vb/4wVH
FHoO+hPi2UwKe8fLfywaA8nA/96xuqJ+U/bbgslvqOz6zjAo27cw0cPpuvCyi8b4
+HnC5RUnkmQLZIpn/516Vfy4VqQqGbv3cfF9lA+0xAogyFidk7rB1+LsSDua0WPp
oscjkDF8NQCXLPo=
=2kH3
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 25 Aug 2019 07:31:49 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:58:33 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.