SECURITY: editors/neovim

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SECURITY: editors/neovim

Edd Barrett-3
Hi,

Here's a patch to fix a recently found arbitrary code execution bug in
neovim. It affects regular vim too, so CC sthen@.

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

I was alerted to this by solene@ on mastodon. Thanks!

Maybe worth pushing to -stable too?

(I see that there is a new neovim -- will port soon).

OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/editors/neovim/Makefile,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile
--- Makefile 20 May 2019 22:15:08 -0000 1.15
+++ Makefile 6 Jun 2019 15:32:31 -0000
@@ -5,7 +5,7 @@ COMMENT = continuation and extension of
 GH_ACCOUNT = neovim
 GH_PROJECT = neovim
 GH_TAGNAME = v0.3.4
-REVISION = 0
+REVISION = 1
 
 CATEGORIES = editors devel
 HOMEPAGE = http://neovim.org
Index: patches/patch-src_nvim_getchar_c
===================================================================
RCS file: patches/patch-src_nvim_getchar_c
diff -N patches/patch-src_nvim_getchar_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_nvim_getchar_c 6 Jun 2019 15:52:58 -0000
@@ -0,0 +1,25 @@
+$OpenBSD$
+
+Security patch: Source command doesn't check for the sandbox.
+https://github.com/neovim/neovim/pull/10082
+
+Detailed description:
+https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
+
+Index: src/nvim/getchar.c
+--- src/nvim/getchar.c.orig
++++ src/nvim/getchar.c
+@@ -1244,6 +1244,13 @@ openscript (
+     EMSG(_(e_nesting));
+     return;
+   }
++
++  // Disallow sourcing a file in the sandbox, the commands would be executed
++  // later, possibly outside of the sandbox.
++  if (check_secure()) {
++    return;
++  }
++
+   if (ignore_script)
+     /* Not reading from script, also don't open one.  Warning message? */
+     return;

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: editors/neovim

Edd Barrett-3
On Thu, Jun 06, 2019 at 05:16:02PM +0100, Edd Barrett wrote:
> It affects regular vim too, so CC sthen@.

Excellent! Stuart has already patched vim today. The first time I hit
cvsweb it didn't show up, but after a refresh a little while later, I
see it ;)

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: editors/neovim

Stuart Henderson-6
In reply to this post by Edd Barrett-3
On 2019/06/06 17:16, Edd Barrett wrote:
> Hi,
>
> Here's a patch to fix a recently found arbitrary code execution bug in
> neovim. It affects regular vim too, so CC sthen@.
>
> https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
>
> I was alerted to this by solene@ on mastodon. Thanks!

OK. I was just about to send you an 0.3.7 update diff for this after
doing editors/vim :)

> Maybe worth pushing to -stable too?

Definitely.

> (I see that there is a new neovim -- will port soon).
>
> OK?
>

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: editors/neovim

Edd Barrett-3
On Thu, Jun 06, 2019 at 05:26:13PM +0100, Stuart Henderson wrote:
> OK.

Thanks!

> I was just about to send you an 0.3.7 update diff for this after
> doing editors/vim :)

It's certainly welcome, if you've already started :)

> Definitely.

I'll get on to that.

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk