SB2019060420 - OS Command Injection in neovim (Alpine package)
Published: June 4, 2019
Security Bulletin ID
SB2019060420
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) OS Command Injection (CVE-ID: CVE-2019-12735)
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5f92eb8ad10133c22508f7e1ab4e46b4eb842ef7
- https://git.alpinelinux.org/aports/commit/?id=9e016dcfd6d790898c57f069cc8dc7d7fe89e78e
- https://git.alpinelinux.org/aports/commit/?id=9d6c7756fa25f6d0e5c7f4de50c5b0bace40d217
- https://git.alpinelinux.org/aports/commit/?id=74071d50c5e7b91e5a0c1803758fcb1de721d712
- https://git.alpinelinux.org/aports/commit/?id=f5bf7a6023c0e044a089cc7cf27278c45e55b064
- https://git.alpinelinux.org/aports/commit/?id=4e2ff29bbe166586bfa55dd3fcd748093df274b4
- https://git.alpinelinux.org/aports/commit/?id=92475d977e6207aee9c5d359af70c60262739f69