Package: vim-youcompleteme
Version: 0+20140207+git18be5c2-2
Severity: normal
Tags: security
X-Debbugs-CC: secur...@debian.org
This version (0+20140207+git18be5c2-2) of JediHTTP
(/usr/lib/vim-youcompleteme/ycm/server/) does not include the HMAC
mechanism. Each vim instance starts a HTTP proxy to Jedi to which
anybody on localhost can connect via TCP. Tested with Python files with
youcompleteme enabled.
For example one can run the following command as another user (httpie
for ease):
$ http -v POST 127.0.0.1:${port}/user_options @/tmp/default_settings.json
/tmp/default_settings.json based on
/usr/lib/vim-youcompleteme/ycm/server/default_settings.json.
You can change min_num_of_chars_for_completion to quickly prove that
settings have been updated.
One can also run arbitrary commands on behalf of the user. Just set
global_ycm_extra_conf to a path to a Python file and wait for the user
to exit vim.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.16.0-4-amd64
Debian Release: 8.7
500 stable security.debian.org
500 stable ftp.pl.debian.org
500 oldstable ftp.pl.debian.org
50 testing security.debian.org
50 testing ftp.pl.debian.org
100 jessie-backports ftp.pl.debian.org
--- Package information. ---
Package's Depends field is empty.
Package's Recommends field is empty.
Package's Suggests field is empty.
--
Marcin Szewczyk
http://wodny.org
