On Fri, Jun 14, 2019 at 11:16:58PM +0100, Ken Moffat via blfs-dev wrote: > It is possible for a remote attacker to execute arbitrary OS > commands in vim up to version 8.1.1364 via the :source! command in a > modeline of a malicious file (all you have to do is open the file in > vim). > > A workaround is to disable modelines in vimrc : > > set nomodeline
I got totally lost while trying to get the upstream patch yesterday (found a link to patches which are in a weird format that does not apply on linux) and eventually found the mercurial repo via google. A while ago (other things going on for me this weekend) Bruce pointed out to me that vim is also on github, and at that time the latest patch was 1535 : | wget https://github.com/vim/vim/archive/v8.1.1535/vim-8.1.1535.tar.gz | | Different versions can be downloaded by just changing the patch number in two | places in the URL. You can check for the latest version at | https://github.com/vim/vim/releases The testsuite has been revised - if running it for a recent version during an upgrade, it should be run as your normal user (and on a desktop system it might install gvim and gview even with the LFS instructions). ĸen -- Before the universe began, there was a sound. It went: "One, two, ONE, two, three, four" [...] The cataclysmic power chord that followed was the creation of time and space and matter and it does Not Fade Away. - wiki.lspace.org/mediawiki/Music_With_Rocks_In -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
