MacVim is vulnerable to arbitrary code execution via modelines (vim < 8.1.1365)

[raimue]

Vim before 8.1.1365 is vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.

A detailed description of the issue was published here:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

Although the original vulnerability was patched with 8.1.1365, I would suggest to update at least to vim 8.1.1368, as the follow-up patches add the new option :set modelineexpr as another mitigation for similar attacks.

• 8.1.1365: vim/vim@5357552
• 8.1.1366: vim/vim@110289e
• 8.1.1367: vim/vim@7e800c6
• 8.1.1368: vim/vim@e09244e

[ychin]

Thanks for pointing out. Will update.

[ychin]

Updated to latest and pushed a release out. Closing.

[lilyball]

The changelog for snapshot-156 incorrectly claims the vulnerability was fixed in Vim 8.1.265.

[ychin]

@lilyball Thanks for pointing that out. I fixed the typo in release page and the auto-updater's message.