Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 73717

Summary: vim: evil modeline code
Product: Gentoo Security Reporter: Ciaran McCreesh <ciaran.mccreesh>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: ciaran.mccreesh, vim
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Ciaran McCreesh 2004-12-07 13:31:06 UTC 
If vim modelines are enabled, it's possible to create a file which, when opened in vim, will really screw things up for the user. Under certain circumstances it is also possible to execute arbitrary code as the user running vim.

I've emailed upstream regarding the issue, security@ is on the Cc: list. I suspect there're a few more similar attacks that I haven't thought of. Awaiting upstream's response before we go any further.

Note that modelines are disabled by default in the Gentoo-provided vimrc, but many users turn them on anyway.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-07 13:38:59 UTC 

*** This bug has been marked as a duplicate of 73715 ***