GLSA-201701-29 : Vim, gVim: Remote execution of arbitrary code

Medium Nessus Plugin ID 96423


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-201701-29 (Vim, gVim: Remote execution of arbitrary code)

Vim and gVim do not properly validate values for the ‘filetype’, ‘syntax’, and ‘keymap’ options.
Impact :

A remote attacker could entice a user to open a specially crafted file using Vim/gVim with certain modeline options enabled possibly resulting in execution of arbitrary code with the privileges of the process.
Workaround :

Disabling modeline support in .vimrc by adding “set nomodeline” will prevent exploitation of this flaw. By default, modeline is enabled for ordinary users but disabled for root.


All Vim users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=app-editors/vim-8.0.0106' All gVim users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=app-editors/gvim-8.0.0106'

See Also

Plugin Details

Severity: Medium

ID: 96423

File Name: gentoo_GLSA-201701-29.nasl

Version: $Revision: 3.1 $

Type: local

Published: 2017/01/12

Modified: 2017/01/12

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P


Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:gvim, p-cpe:/a:gentoo:linux:vim, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 2017/01/11

Reference Information

CVE: CVE-2016-1248

GLSA: 201701-29