Il giorno mar, 03/04/2018 alle 20.03 +0200, Enrico Zini ha scritto: > Package: vim-syntastic > Version: 3.8.0-1 > Severity: serious > > Hello, > > syntastic has a Configuration Files[1] feature enabled for several > checkers, where: > > a configuration file is looked up in the directory of the file > being > checked, then upwards in parent directories. The search stops > either > when a file with the right name is found, or when the root of the > filesystem is reached.[1] > > [1] https://github.com/vim-syntastic/syntastic/blob/master/doc/syntas > tic-checkers.txt#L7744 > > Each line found in the configuration file is escaped as a single > argument and appended to the checker command being run. > > I am not an expert on the various possibly dangerous command line > options of all possible checkers, but I played with one I knew how to > play with, and what follows is a possible attack. There might be > easier > attacks on checkers that are enabled by default, since the > configuration > files features, as it is now, leaves a pretty wide attack surface > open.
Hi Enrico, you are right and the attack works. I opened this upstream issue: https://github.com/vim-syntastic/syntastic/issues/2170 and he fixed the problem in 3.9.0 release. I'll build and upload it as soon as possible. Best Regards -- Andrea Capriotti <capri...@debian.org>
signature.asc
Description: This is a digitally signed message part