svn commit: r504132 - head/security/vuxml
Alexey Dokuchaev
danfe at freebsd.org
Sat Jun 15 15:12:48 UTC 2019
On Thu, Jun 13, 2019 at 06:41:56PM +0000, Adam Weinberger wrote:
> New Revision: 504132
> URL: https://svnweb.freebsd.org/changeset/ports/504132
>
> Log:
> Add entry for Vim/NeoVim arbitrary code execution
>
> Modified:
> head/security/vuxml/vuln.xml
Do we package Vim/NeoVim with modelines enabled by default?
I've seen people say that in some distributions, default packages were not
affected because their maintainers deliberately disable modelines, e.g. in
Debian from 2007:
* debian/runtime/debian.vim.in
- set 'nomodeline' by default since modelines have historically been a
source of security/resource vulnerabilities. Users should have to
explicitly enable the option to assume the associated risks.
Also, from Gentoo's /etc/vim/vimrc:
We don't allow modelines by default. See bug #14088 and bug #73715.
basis by adding "set modeline" to your ~/.vimrc file.
This sounds like a good idea. Actually, any similar feature that allows to
execute something based on user input should be disabled by default, because
these things are very hard to get right (unless you're Daniel Bernstein).
./danfe
More information about the svn-ports-all
mailing list