Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73717 - vim: evil modeline code
Summary: vim: evil modeline code
Status: RESOLVED DUPLICATE of bug 73715
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-07 13:31 UTC by Ciaran McCreesh
Modified: 2006-12-27 01:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ciaran McCreesh 2004-12-07 13:31:06 UTC 
If vim modelines are enabled, it's possible to create a file which, when opened in vim, will really screw things up for the user. Under certain circumstances it is also possible to execute arbitrary code as the user running vim.

I've emailed upstream regarding the issue, security@ is on the Cc: list. I suspect there're a few more similar attacks that I haven't thought of. Awaiting upstream's response before we go any further.

Note that modelines are disabled by default in the Gentoo-provided vimrc, but many users turn them on anyway.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-07 13:38:59 UTC 

*** This bug has been marked as a duplicate of 73715 ***