Thursday, June 06, 2019

SECURITY: editors/neovim

Hi,

Here's a patch to fix a recently found arbitrary code execution bug in
neovim. It affects regular vim too, so CC sthen@.

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

I was alerted to this by solene@ on mastodon. Thanks!

Maybe worth pushing to -stable too?

(I see that there is a new neovim -- will port soon).

OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/editors/neovim/Makefile,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile
--- Makefile 20 May 2019 22:15:08 -0000 1.15
+++ Makefile 6 Jun 2019 15:32:31 -0000
@@ -5,7 +5,7 @@ COMMENT = continuation and extension of
GH_ACCOUNT = neovim
GH_PROJECT = neovim
GH_TAGNAME = v0.3.4
-REVISION = 0
+REVISION = 1

CATEGORIES = editors devel
HOMEPAGE = http://neovim.org
Index: patches/patch-src_nvim_getchar_c
===================================================================
RCS file: patches/patch-src_nvim_getchar_c
diff -N patches/patch-src_nvim_getchar_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_nvim_getchar_c 6 Jun 2019 15:52:58 -0000
@@ -0,0 +1,25 @@
+$OpenBSD$
+
+Security patch: Source command doesn't check for the sandbox.
+https://github.com/neovim/neovim/pull/10082
+
+Detailed description:
+https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
+
+Index: src/nvim/getchar.c
+--- src/nvim/getchar.c.orig
++++ src/nvim/getchar.c
+@@ -1244,6 +1244,13 @@ openscript (
+ EMSG(_(e_nesting));
+ return;
+ }
++
++ // Disallow sourcing a file in the sandbox, the commands would be executed
++ // later, possibly outside of the sandbox.
++ if (check_secure()) {
++ return;
++ }
++
+ if (ignore_script)
+ /* Not reading from script, also don't open one. Warning message? */
+ return;

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk

No comments:

Post a Comment