Bug#930020: vim: Modelines allow arbitrary code execution

[Salvatore Bonaccorso]

Control: tags -1 + patch

Attached is proposed debdiff for unstable.

Looked today as well on the version in stretch, but the build fails
currently.

Regards,
Salvatore

diff -Nru vim-8.1.0875/debian/changelog vim-8.1.0875/debian/changelog
--- vim-8.1.0875/debian/changelog       2019-05-06 05:41:10.000000000 +0200
+++ vim-8.1.0875/debian/changelog       2019-06-05 22:10:19.000000000 +0200
@@ -1,3 +1,11 @@
+vim (2:8.1.0875-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * source command doesn't check for the sandbox (CVE-2019-12735)
+    (Closes: #930020)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Wed, 05 Jun 2019 22:10:19 +0200
+
 vim (2:8.1.0875-3) unstable; urgency=medium
 
   * syntax/deb{changelog,sources}: Update release names for Debian/Ubuntu
diff -Nru 
vim-8.1.0875/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
 
vim-8.1.0875/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
--- 
vim-8.1.0875/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
vim-8.1.0875/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
      2019-06-05 22:10:19.000000000 +0200
@@ -0,0 +1,56 @@
+From: Bram Moolenaar <b...@vim.org>
+Date: Wed, 22 May 2019 22:38:25 +0200
+Subject: patch 8.1.1365: source command doesn't check for the sandbox
+Origin: 
https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-12735
+Bug-Debian: https://bugs.debian.org/930020
+
+Problem:    Source command doesn't check for the sandbox. (Armin Razmjou)
+Solution:   Check for the sandbox when sourcing a file.
+---
+ src/getchar.c               | 6 ++++++
+ src/testdir/test_source.vim | 9 +++++++++
+ src/version.c               | 2 ++
+ 3 files changed, 17 insertions(+)
+
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -1407,6 +1407,12 @@ openscript(
+       emsg(_(e_nesting));
+       return;
+     }
++
++    // Disallow sourcing a file in the sandbox, the commands would be executed
++    // later, possibly outside of the sandbox.
++    if (check_secure())
++      return;
++
+ #ifdef FEAT_EVAL
+     if (ignore_script)
+       /* Not reading from script, also don't open one.  Warning message? */
+--- a/src/testdir/test_source.vim
++++ b/src/testdir/test_source.vim
+@@ -36,3 +36,12 @@ func Test_source_cmd()
+   au! SourcePre
+   au! SourcePost
+ endfunc
++
++func Test_source_sandbox()
++  new
++  call writefile(["Ohello\<Esc>"], 'Xsourcehello')
++  source! Xsourcehello | echo
++  call assert_equal('hello', getline(1))
++  call assert_fails('sandbox source! Xsourcehello', 'E48:')
++  bwipe!
++endfunc
+--- a/src/version.c
++++ b/src/version.c
+@@ -792,6 +792,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+ /**/
++    1365,
++/**/
+     948,
+ /**/
+     884,
diff -Nru vim-8.1.0875/debian/patches/series vim-8.1.0875/debian/patches/series
--- vim-8.1.0875/debian/patches/series  2019-05-06 05:41:10.000000000 +0200
+++ vim-8.1.0875/debian/patches/series  2019-06-05 22:10:19.000000000 +0200
@@ -6,4 +6,5 @@
 patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch
 patch-8.1.0884-double-check-for-bsd-systems.patch
 patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch
+patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
 upstream/deb-release-names.patch