Lucene search

DebianDEBIAN:DSA-4487-1:B50EE

HistoryJul 23, 2019 - 9:15 p.m.

[SECURITY] [DSA 4487-1] neovim security update

2019-07-2321:15:37

lists.debian.org

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.004

Percentile

74.0%

JSON

Debian Security Advisory DSA-4487-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
July 23, 2019 https://www.debian.org/security/faq

Package : neovim
CVE ID : CVE-2019-12735

User "Arminius" discovered a vulnerability in Vim, an enhanced version of the
standard UNIX editor Vi (Vi IMproved), which also affected the Neovim fork, an
extensible editor focused on modern code and features:

Editors typically provide a way to embed editor configuration commands (aka
modelines) which are executed once a file is opened, while harmful commands
are filtered by a sandbox mechanism. It was discovered that the "source"
command (used to include and execute another file) was not filtered, allowing
shell command execution with a carefully crafted file opened in Neovim.

For the oldstable distribution (stretch), this problem has been fixed
in version 0.1.7-4+deb9u1.

We recommend that you upgrade your neovim packages.

For the detailed security status of neovim please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/neovim

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8armhfvim-common< 2:7.4.488-7+deb8u4vim-common_2:7.4.488-7+deb8u4_armhf.deb
Debian9s390xneovim-dbgsym< 0.1.7-4+deb9u1neovim-dbgsym_0.1.7-4+deb9u1_s390x.deb
Debian8armhfvim< 2:7.4.488-7+deb8u4vim_2:7.4.488-7+deb8u4_armhf.deb
Debian9i386vim-nox-dbgsym< 2:8.0.0197-4+deb9u2vim-nox-dbgsym_2:8.0.0197-4+deb9u2_i386.deb
Debian8amd64vim-gtk< 2:7.4.488-7+deb8u4vim-gtk_2:7.4.488-7+deb8u4_amd64.deb
Debian9arm64vim-athena-dbgsym< 2:8.0.0197-4+deb9u2vim-athena-dbgsym_2:8.0.0197-4+deb9u2_arm64.deb
Debian8armelvim-tiny< 2:7.4.488-7+deb8u4vim-tiny_2:7.4.488-7+deb8u4_armel.deb
Debian8armelvim-gtk< 2:7.4.488-7+deb8u4vim-gtk_2:7.4.488-7+deb8u4_armel.deb
Debian9armelvim-nox< 2:8.0.0197-4+deb9u2vim-nox_2:8.0.0197-4+deb9u2_armel.deb
Debian9amd64vim-athena-dbgsym< 2:8.0.0197-4+deb9u2vim-athena-dbgsym_2:8.0.0197-4+deb9u2_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armhf	vim-common	< 2:7.4.488-7+deb8u4	vim-common_2:7.4.488-7+deb8u4_armhf.deb
Debian	9	s390x	neovim-dbgsym	< 0.1.7-4+deb9u1	neovim-dbgsym_0.1.7-4+deb9u1_s390x.deb
Debian	8	armhf	vim	< 2:7.4.488-7+deb8u4	vim_2:7.4.488-7+deb8u4_armhf.deb
Debian	9	i386	vim-nox-dbgsym	< 2:8.0.0197-4+deb9u2	vim-nox-dbgsym_2:8.0.0197-4+deb9u2_i386.deb
Debian	8	amd64	vim-gtk	< 2:7.4.488-7+deb8u4	vim-gtk_2:7.4.488-7+deb8u4_amd64.deb
Debian	9	arm64	vim-athena-dbgsym	< 2:8.0.0197-4+deb9u2	vim-athena-dbgsym_2:8.0.0197-4+deb9u2_arm64.deb
Debian	8	armel	vim-tiny	< 2:7.4.488-7+deb8u4	vim-tiny_2:7.4.488-7+deb8u4_armel.deb
Debian	8	armel	vim-gtk	< 2:7.4.488-7+deb8u4	vim-gtk_2:7.4.488-7+deb8u4_armel.deb
Debian	9	armel	vim-nox	< 2:8.0.0197-4+deb9u2	vim-nox_2:8.0.0197-4+deb9u2_armel.deb
Debian	9	amd64	vim-athena-dbgsym	< 2:8.0.0197-4+deb9u2	vim-athena-dbgsym_2:8.0.0197-4+deb9u2_amd64.deb