Text editor programs Vim and Neovim both received security updates late last month after was was found to contain a remote code execution vulnerability.
Designated CVE-2019-12735, the flaw was discovered by security researcher Armin Razmjou and assigned an 8.6 HIGH CVSS base score.
According to an analysis of the vulnerability that was published last week, Vim versions prior to 8.1.1365 and Neovim versions prior to 0.3.6 are susceptible to code execution “via modelines by opening a specially crafted text file.” Razmjou included two proof of concepts along with his analysis.
The modeline feature, which is enabled by default in the two programs, lets users specify custom editor options near the start or end of a file, the analysis explains. Some of these options are executed in a sandbox in order to prevent side effects, but Razmjou found that “the
:source! command with the bang [
!] modifier can be used to bypass the sandbox” because these commands are mistakenly interpreted as having been manually typed and therefore are run after the sandbox has been left. This is what triggers the RCE condition.
Vim was fixed in a May 23 software release, while Neovim was patched on May 29.
“Beyond patching, it’s recommended to disable modelines in the vimrc (
set nomodeline), to use the securemodelinesplugin, or to disable
modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” Razmjou advises in his vulnerability analysis.