openSUSE Security Update : neovim (openSUSE-2019-1759)

high Nessus Plugin ID 126899
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for neovim fixes the following issues :

neovim was updated to version 0.3.7 :

- CVE-2019-12735: source should check sandbox (boo#1137443)

- genappimage.sh: migrate to linuxdeploy

Version Update to version 0.3.5 :

- options: properly reset directories on 'autochdir'

- Remove MSVC optimization workaround for SHM_ALL

- Make SHM_ALL to a variable instead of a compound literal #define

- doc: mention 'pynvim' module rename

- screen: don't crash when drawing popupmenu with 'rightleft' option

- look-behind match may use the wrong line number

- :terminal : set topline based on window height

- :recover : Fix crash on non-existent *.swp

Version Update to version 0.3.4 :

- test: add tests for conceal cursor movement

- display: unify ursorline and concealcursor redraw logic

Version Update to version 0.3.3 :

- health/provider: Check for available pynvim when neovim mod is missing

- python#CheckForModule: Use the given module string instead of hard-coding pynvim

- (health.provider)/python: Import the neovim, rather than pynvim, module

- TUI: Konsole DECSCUSR fixup

Version Update to version 0.3.2:-

- Features

- clipboard: support Custom VimL functions (#9304)

- win/TUI: improve terminal/console support (#9401)

- startup: Use $XDG_CONFIG_DIRS/nvim/sysinit.vim if exists (#9077)

- support mapping in more places (#9299)

- diff/highlight: show underline for low-priority CursorLine (#9028)

- signs: Add 'nuhml' argument (#9113)

- clipboard: support Wayland (#9230)

- TUI: add support for undercurl and underline color (#9052)

- man.vim: soft (dynamic) wrap (#9023)

- API

- API: implement object namespaces (#6920)

- API: implement nvim_win_set_buf() (#9100)

- API: virtual text annotations (nvim_buf_set_virtual_text) (#8180)

- API: add nvim_buf_is_loaded() (#8660)

- API: nvm_buf_get_offset_for_line (#8221)

- API/UI: ext_newgrid, ext_histate (#8221)

- UI

- TUI: use BCE again more often (smoother resize) (#8806)

- screen: add missing status redraw when redraw_later(CLEAR) was used (#9315)

- TUI: clip invalid regions on resize (#8779)

- TUI: improvements for scrolling and clearing (#9193)

- TUI: disable clearing almost everywhere (#9143)

- TUI: always use safe cursor movement after resize (#9079)

- ui_options: also send when starting or from OptionSet (#9211)

- TUI: Avoid reset_color_cursor_color in old VTE (#9191)

- Don't erase screen on :hi Normal during startup (#9021)

- TUI: Hint wrapped lines to terminals (#8915)

- FIXES

- RPC: turn errors from async calls into notifications

- TUI: Restore terminal title via 'title stacking' (#9407)

- genappimage: Unset $ARGV0 at invocation (#9376)

- TUI: Konsole 18.07.70 supports DECSCUSR (#9364)

- provider: improve error message (#9344)

- runtime/syntax: Fix highlighting of autogroup contents (#9328)

- VimL/confirm(): Show dialog even if :silent (#9297)

- clipboard: prefer xclip (#9302)

- provider/nodejs: fix npm, yarn detection

- channel: avoid buffering output when only terminal is active (#9218)

- ruby: detect rbenv shims for other versions (#8733)

- third-party/unibilium: Fix parsing of extended capabilitiy entries (#9123)

- jobstart(): Fix hang on non-executable cwd (#9204)

- provide/nodejs: Simultaneously query npm and yarn (#9054)

- undo: Fix infinite loop if undo_read_byte returns EOF (#2880)

- 'swapfile: always show dialog' (#9034)

- Add to the system-wide configuration file extension of runtimepath by /usr/share/vim/site, so that neovim uses other Vim plugins installed from packages.

- Add /usr/share/vim/site tree of directories to be owned by neovim as well.

Solution

Update the affected neovim packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1137443

Plugin Details

Severity: High

ID: 126899

File Name: openSUSE-2019-1759.nasl

Version: 1.3

Type: local

Agent: unix

Published: 7/22/2019

Updated: 9/23/2020

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: High

Score: 8.1

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:neovim, p-cpe:/a:novell:opensuse:neovim-debuginfo, p-cpe:/a:novell:opensuse:neovim-debugsource, p-cpe:/a:novell:opensuse:neovim-lang, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/21/2019

Vulnerability Publication Date: 6/5/2019

Reference Information

CVE: CVE-2019-12735