Vim, gVim: Remote execution of arbitrary code — GLSA 201701-29

A vulnerability has been found in Vim and gVim concerning how certain modeline options are treated.

Affected packages

app-editors/vim on all architectures
Affected versions < 8.0.0106
Unaffected versions >= 8.0.0106
app-editors/gvim on all architectures
Affected versions < 8.0.0106
Unaffected versions >= 8.0.0106

Background

Vim is an efficient, highly configurable improved version of the classic ‘vi’ text editor. gVim is the GUI version of Vim.

Description

Vim and gVim do not properly validate values for the ‘filetype’, ‘syntax’, and ‘keymap’ options.

Impact

A remote attacker could entice a user to open a specially crafted file using Vim/gVim with certain modeline options enabled possibly resulting in execution of arbitrary code with the privileges of the process.

Workaround

Disabling modeline support in .vimrc by adding “set nomodeline” will prevent exploitation of this flaw. By default, modeline is enabled for ordinary users but disabled for root.

Resolution

All Vim users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-editors/vim-8.0.0106"
 

All gVim users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-editors/gvim-8.0.0106"
 

References

Release date
January 11, 2017

Latest revision
January 11, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries