feedkeys() and writefile() functions are allowed in sandbox which allows a malicious file run arbitrary commands in a modeline-enabled vim like: vim: fdm=expr fde=feedkeys("\\:!touch\ phantom_was_here\\<cr>") vim: fdm=expr fde=writefile([""],"phantom_was_here") These problems have been fixed with patch-7.0.234[1] and patch-7.0.235[2] A temporary solution is to 'set nomodeline' in vimrc which Gentoo already has by default.
oh and.. [1] ftp://ftp.vim.org/pub/vim/patches/7.0/7.0.234 [2] ftp://ftp.vim.org/pub/vim/patches/7.0/7.0.235 sorry..
Created attachment 117677 [details] vim-7.0.235.ebuild I think bumping vim to version 7.0.235 is a good idea. I've created a snapshot of vim patches the way gentoo packages them. It's under http://hawking.nonlogic.org/distfiles/vim-patches-7.0.235.tar.gz I'm attaching updated ebuilds, basically only their names and SRC_URI is changed.
Created attachment 117686 [details] vim-core-7.0.235.ebuild
Created attachment 117688 [details] gvim-7.0.235.ebuild
vim please advise and bump as necessary.
*** Bug 176477 has been marked as a duplicate of this bug. ***
7.0.235 is already in the tree, though currently it is not keyworded stable on any arch. So, I guess the next step is to request keywording, correct?
Sorry for being late I must have forgot to commit the last one a few days ago. Arches please test and mark stable. Target keywords are: vim-7.0.235.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86 ~x86-fbsd"
ia64 + x86 stable
armin76 just mentioned that gvim needs to go stable as well. gvim-7.0.235.ebuild:KEYWORDS="alpha amd64 hppa ia64 mips ppc ~ppc64 sparc x86 ~x86-fbsd"
sparc all done for vim-core, [g]vim.
Alpha done.
app-editors/gvim needs to be marked stable at the same time or there'll be issues for folks who have both vim and gvim installed.
oops, sorry, just was going from old emails when i sent that. ignore me...
Stable for HPPA.
ppc64 stable
ppc stable
amd64 done.
*** Bug 168008 has been marked as a duplicate of this bug. ***
This one is ready for GLSA decision. I tend to vote NO.
I vote NO as it seems that Gentoo default install protects against this.
I'd also vote no, but I'd like a way to let users know about a more secure replacement for vim's builtin moreline support that was just added to the tree -- app-vim/securemodelines. I'd recommend that users disable modelines if they have enabled them locally, and install that script instead. Is that something more appropriate for a GWN article or somethimg?
I'd say GWN + enote.
I vote no too since it's not the default config, and since modeline is known to be dangerous in some cases. OK for GWN. Mike, i close this bug but feel free to reopen it if this is useful to you.
All three stable on mips for 7.0.235.