[3.7] vim: arbitrary command execution in getchar.c (CVE-2019-12735)
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source!
command in a modeline, as demonstrated by execute in Vim, and
assert_fails or nvim_input in Neovim.
References:
https://github.com/numirias/security/blob/master/doc/2019-06-04\_ace-vim-neovim.md
Patch:
https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040
(from redmine: issue id 10562, created on 2019-06-13, closed on 2019-06-22)
- Changesets:
- Revision aaf594bc by Natanael Copa on 2019-06-22T07:30:19Z:
main/vim: backport fix for CVE-2019-12735
fixes #10562