Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <acvvA2uP7s/aGD9q@256bit.org>
Date: Tue, 31 Mar 2026 17:57:55 +0200
From: Christian Brabandt <cb@...bit.org>
To: Demi Marie Obenour <demiobenour@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: [vim-security] Vim tabpanel modeline escape
 affects Vim < 9.2.0272


On Mo, 30 Mär 2026, Demi Marie Obenour wrote:

> On 3/30/26 05:06, Christian Brabandt wrote:
> > ## Impact
> > An attacker who can deliver a crafted file to a victim achieves 
> > arbitrary command execution with the privileges of the user running Vim. 
> > The attack requires only that the victim opens the file; no further 
> > interaction is needed. `modeline` is enabled by default and 
> > `modelineexpr` does not need to be enabled. Vim builds with `+tabpanel` 
> > (FEAT_HUGE, the default) are affected.
> 
> Should `modeline` be disabled by default in future releases?
> It's a huge attack surface.

Indeed, it is probably time to disable this by default: 
https://github.com/vim/vim/pull/19875

Thanks,
Christian
-- 
Zwei Schneeflocken begegnen sich auf ihrem Weg zur Erde.
Die eine:
"Wohin?"
"Nach Bayern - Wintersport. Und du?"
"Nach Norddeutschland - Verkehrschaos."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.