Package: neovim Version: 0.11.6-1 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team <[email protected]>
Neovim 0.12.2 has included several security patches from Vim that are
unpatched in the version in unstable. For instance, there is a buffer
overflow fixed in Vim 9.2.0331 that still causes Neovim to crash.
If you place the below contents in `vimrc` and run `nvim -u vimrc`,
Neovim crashes with `*** buffer overflow detected ***: terminated`.
Obviously this is a serious security bug. While this particular
variant is detected, it's not necessarily the case that every variant
will be detected, so patching this appropriately is important.
Since spell files are frequently downloaded from the Internet (and I
believe both Vim and Neovim contain functionality to do so), this allows
a malicious provider of spell files to create a buffer overflow, which
could allow arbitrary code execution.
Could you either upload Neovim 0.12.2 or backport the appropriate
security patches from newer versions of Neovim?
vimrc:
----
func s:abc()
let aff_lines = ['SET ISO8859-1', 'SFX A Y 1',
\ 'SFX A 0 s ' .. repeat(nr2char(0xff), 491)]
call writefile(aff_lines, 'Xbof.aff', 'D')
call writefile(['1', 'word/A'], 'Xbof.dic', 'D')
" Must not crash; ignore any conversion/regex errors.
try
mkspell! Xbof.spl Xbof
catch
endtry
defer delete('Xbof.spl')
let long = repeat(nr2char(0xff), 200)
let aff2_lines = ['SET ISO8859-1', 'SFX A Y 1',
\ 'SFX A 0 ' .. long .. ' .']
call writefile(aff2_lines, 'Xbof2.aff', 'D')
call writefile(['1', long .. '/A'], 'Xbof2.dic', 'D')
try
mkspell! Xbof2.spl Xbof2
catch
endtry
defer delete('Xbof2.spl')
endfunc
call s:abc()
----
These contents were derived from the test in Vim patch 9.2.0331.
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 7.0.3+deb14-amd64 (SMP w/24 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages neovim depends on:
ii libc6 2.42-15
ii libluajit-5.1-2 2.1.0+openresty20251030-1+b2
ii libtree-sitter0.25 0.25.9-7+b1
ii libunibilium4 2.1.1-2+b3
ii libutf8proc3 2.11.3-2
ii libuv1t64 1.51.0-2+b2
ii lua-lpeg 1.1.0-3+b1
ii lua-luv 1.51.0-1-1+b1
ii neovim-runtime 0.11.6-1
Versions of packages neovim recommends:
ii python3-pynvim 0.6.0-2
ii wl-clipboard 2.2.1-2
ii xclip 0.13-4
ii xxd 2:9.2.0428-1
Versions of packages neovim suggests:
pn ctags <none>
pn vim-scripts <none>
-- no debconf information
--
brian m. carlson (they/them)
Toronto, Ontario, CA
signature.asc
Description: PGP signature
