Skip to content

Fix CVE-2019-12735 in vim #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mrgirgin merged 2 commits into from
Oct 20, 2020
Merged

Fix CVE-2019-12735 in vim #230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
009b337
Fix CVE-2019-12735 in vim
Oct 16, 2020
8fd088c
Update the changelog to address only one CVE.
mrgirgin Oct 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions SPECS/vim/CVE-2019-12735.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
diff --git a/src/getchar.c b/src/getchar.c
index cc8b344e1..53f3a76be 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -1442,6 +1442,12 @@ openscript(
EMSG(_(e_nesting));
return;
}
+
+ // Disallow sourcing a file in the sandbox, the commands would be executed
+ // later, possibly outside of the sandbox.
+ if (check_secure())
+ return;
+
#ifdef FEAT_EVAL
if (ignore_script)
/* Not reading from script, also don't open one. Warning message? */
diff --git a/src/testdir/test_source_utf8.vim b/src/testdir/test_source_utf8.vim
index c29c2ec1f..f13906242 100644
--- a/src/testdir/test_source_utf8.vim
+++ b/src/testdir/test_source_utf8.vim
@@ -61,3 +61,12 @@ func Test_source_ctrl_v()
unmap __4
unmap __5
endfunc
+
+func Test_source_sandbox()
+ new
+ call writefile(["Ohello\<Esc>"], 'Xsourcehello')
+ source! Xsourcehello | echo
+ call assert_equal('hello', getline(1))
+ call assert_fails('sandbox source! Xsourcehello', 'E48:')
+ bwipe!
+endfunc
diff --git a/src/version.c b/src/version.c
index dce4643c2..c6e64ea76 100644
--- a/src/version.c
+++ b/src/version.c
@@ -794,6 +794,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1365,
/**/
388,
/**/
11 changes: 9 additions & 2 deletions SPECS/vim/vim.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,19 @@
Summary: Text editor
Name: vim
Version: 8.1.0388
Release: 6%{?dist}
Release: 7%{?dist}
License: Vim
URL: https://www.vim.org
Group: Applications/Editors
Vendor: Microsoft Corporation
Distribution: Mariner
#Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
# Based on:
# https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040.patch
# Had some modifications for patch to apply cleanly.
Patch0: CVE-2019-12735.patch

BuildRequires: ncurses-devel

%description
Expand All @@ -26,7 +31,7 @@ Conflicts: toybox
The vim extra package contains a extra files for powerful text editor.

%prep
%setup -q
%autosetup -p1

echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h
%build
Expand Down Expand Up @@ -184,6 +189,8 @@ fi
%{_bindir}/vimdiff

%changelog
* Thu Oct 15 2020 Emre Girgin <mrgirgin@microsoft.com> 8.1.0388-7
- Fix CVE-2019-12735.
* Mon Jun 01 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 8.1.0388-6
- Adding a license reference.
* Mon Apr 13 2020 Eric Li <eli@microsoft.com> 8.1.0388-5
Expand Down