GLSA-201701-29 : Vim, gVim: Remote execution of arbitrary code
Medium Nessus Plugin ID 96423
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-201701-29 (Vim, gVim: Remote execution of arbitrary code)
Vim and gVim do not properly validate values for the ‘filetype’, ‘syntax’, and ‘keymap’ options.
A remote attacker could entice a user to open a specially crafted file using Vim/gVim with certain modeline options enabled possibly resulting in execution of arbitrary code with the privileges of the process.
Disabling modeline support in .vimrc by adding “set nomodeline” will prevent exploitation of this flaw. By default, modeline is enabled for ordinary users but disabled for root.
SolutionAll Vim users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=app-editors/vim-8.0.0106' All gVim users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=app-editors/gvim-8.0.0106'