is the latest vim package for Ubuntu 16/18 vulnerable to modeline?
I have two production ubuntu based servers, one has 18.04.2 LTS on it and the other one has 16.04.6 LTS on it.
Neither apt-get upgrade nor apt-get dist-upgrade showed any new releases for vim.
Latest package is 7.4 on Ubuntu 16, and 8.0 on Ubuntu 18.
Any suggestions?
src: https://www.reddit.com/r/vim/comments/bwp7q3/code_execution_vulnerability_in_vim_811365_and/
There is no vim update package yet on distro version you mention. You can disable modeline by doing :set modeline once you open vim also use the securemodeline plugin or download and compile vim from the github repo, this bug was fixed 19 days ago.
as a work around, just execute this command using root:
echo -e "set modelines=0\nset nomodeline" >> /etc/vim/vimrc
this would disable modeline.
What's a modeline again?
A string like /* vim: set textwidth=80 tabstop=8: */ at the start or end of a file that tells Vim to set particular options.