opensuse-su-2019:1759-1
Vulnerability from csaf_opensuse
Published
2019-07-21 05:34
Modified
2019-07-21 05:34
Summary
Security update for neovim
Notes
Title of the patch
Security update for neovim
Description of the patch
This update for neovim fixes the following issues:
neovim was updated to version 0.3.7:
* CVE-2019-12735: source should check sandbox (boo#1137443)
* genappimage.sh: migrate to linuxdeploy
Version Update to version 0.3.5:
* options: properly reset directories on 'autochdir'
* Remove MSVC optimization workaround for SHM_ALL
* Make SHM_ALL to a variable instead of a compound literal #define
* doc: mention 'pynvim' module rename
* screen: don't crash when drawing popupmenu with 'rightleft' option
* look-behind match may use the wrong line number
* :terminal : set topline based on window height
* :recover : Fix crash on non-existent *.swp
Version Update to version 0.3.4:
* test: add tests for conceal cursor movement
* display: unify ursorline and concealcursor redraw logic
Version Update to version 0.3.3:
* health/provider: Check for available pynvim when neovim mod is missing
* python#CheckForModule: Use the given module string instead of hard-coding pynvim
* (health.provider)/python: Import the neovim, rather than pynvim, module
* TUI: Konsole DECSCUSR fixup
Version Update to version 0.3.2:-
* Features
- clipboard: support Custom VimL functions (#9304)
- win/TUI: improve terminal/console support (#9401)
- startup: Use $XDG_CONFIG_DIRS/nvim/sysinit.vim if exists (#9077)
- support mapping in more places (#9299)
- diff/highlight: show underline for low-priority CursorLine (#9028)
- signs: Add 'nuhml' argument (#9113)
- clipboard: support Wayland (#9230)
- TUI: add support for undercurl and underline color (#9052)
- man.vim: soft (dynamic) wrap (#9023)
* API
- API: implement object namespaces (#6920)
- API: implement nvim_win_set_buf() (#9100)
- API: virtual text annotations (nvim_buf_set_virtual_text) (#8180)
- API: add nvim_buf_is_loaded() (#8660)
- API: nvm_buf_get_offset_for_line (#8221)
- API/UI: ext_newgrid, ext_histate (#8221)
* UI
- TUI: use BCE again more often (smoother resize) (#8806)
- screen: add missing status redraw when redraw_later(CLEAR) was used (#9315)
- TUI: clip invalid regions on resize (#8779)
- TUI: improvements for scrolling and clearing (#9193)
- TUI: disable clearing almost everywhere (#9143)
- TUI: always use safe cursor movement after resize (#9079)
- ui_options: also send when starting or from OptionSet (#9211)
- TUI: Avoid reset_color_cursor_color in old VTE (#9191)
- Don't erase screen on :hi Normal during startup (#9021)
- TUI: Hint wrapped lines to terminals (#8915)
* FIXES
- RPC: turn errors from async calls into notifications
- TUI: Restore terminal title via 'title stacking' (#9407)
- genappimage: Unset $ARGV0 at invocation (#9376)
- TUI: Konsole 18.07.70 supports DECSCUSR (#9364)
- provider: improve error message (#9344)
- runtime/syntax: Fix highlighting of autogroup contents (#9328)
- VimL/confirm(): Show dialog even if :silent (#9297)
- clipboard: prefer xclip (#9302)
- provider/nodejs: fix npm, yarn detection
- channel: avoid buffering output when only terminal is active (#9218)
- ruby: detect rbenv shims for other versions (#8733)
- third party/unibilium: Fix parsing of extended capabilitiy entries (#9123)
- jobstart(): Fix hang on non-executable cwd (#9204)
- provide/nodejs: Simultaneously query npm and yarn (#9054)
- undo: Fix infinite loop if undo_read_byte returns EOF (#2880)
- 'swapfile: always show dialog' (#9034)
- Add to the system-wide configuration file extension of runtimepath by
/usr/share/vim/site, so that neovim uses other Vim plugins installed
from packages.
- Add /usr/share/vim/site tree of directories to be owned by neovim as
well.
Patchnames
openSUSE-2019-1759
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for neovim",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for neovim fixes the following issues:\n\nneovim was updated to version 0.3.7:\n\n* CVE-2019-12735: source should check sandbox (boo#1137443)\n* genappimage.sh: migrate to linuxdeploy\n\nVersion Update to version 0.3.5:\n\n* options: properly reset directories on \u0027autochdir\u0027\n* Remove MSVC optimization workaround for SHM_ALL\n* Make SHM_ALL to a variable instead of a compound literal #define\n* doc: mention \u0027pynvim\u0027 module rename\n* screen: don\u0027t crash when drawing popupmenu with \u0027rightleft\u0027 option\n* look-behind match may use the wrong line number\n* :terminal : set topline based on window height\n* :recover : Fix crash on non-existent *.swp\n\nVersion Update to version 0.3.4:\n\n* test: add tests for conceal cursor movement\n* display: unify ursorline and concealcursor redraw logic\n\nVersion Update to version 0.3.3:\n\n* health/provider: Check for available pynvim when neovim mod is missing\n* python#CheckForModule: Use the given module string instead of hard-coding pynvim\n* (health.provider)/python: Import the neovim, rather than pynvim, module\n* TUI: Konsole DECSCUSR fixup\n\nVersion Update to version 0.3.2:- \n\n* Features\n\n - clipboard: support Custom VimL functions (#9304)\n - win/TUI: improve terminal/console support (#9401)\n - startup: Use $XDG_CONFIG_DIRS/nvim/sysinit.vim if exists (#9077)\n - support mapping in more places (#9299)\n - diff/highlight: show underline for low-priority CursorLine (#9028)\n - signs: Add \u0027nuhml\u0027 argument (#9113)\n - clipboard: support Wayland (#9230)\n - TUI: add support for undercurl and underline color (#9052)\n - man.vim: soft (dynamic) wrap (#9023)\n\n* API\n\n - API: implement object namespaces (#6920)\n - API: implement nvim_win_set_buf() (#9100)\n - API: virtual text annotations (nvim_buf_set_virtual_text) (#8180)\n - API: add nvim_buf_is_loaded() (#8660)\n - API: nvm_buf_get_offset_for_line (#8221)\n - API/UI: ext_newgrid, ext_histate (#8221)\n\n* UI\n\n - TUI: use BCE again more often (smoother resize) (#8806)\n - screen: add missing status redraw when redraw_later(CLEAR) was used (#9315)\n - TUI: clip invalid regions on resize (#8779)\n - TUI: improvements for scrolling and clearing (#9193)\n - TUI: disable clearing almost everywhere (#9143)\n - TUI: always use safe cursor movement after resize (#9079)\n - ui_options: also send when starting or from OptionSet (#9211)\n - TUI: Avoid reset_color_cursor_color in old VTE (#9191)\n - Don\u0027t erase screen on :hi Normal during startup (#9021)\n - TUI: Hint wrapped lines to terminals (#8915) \n\n* FIXES\n\n - RPC: turn errors from async calls into notifications\n - TUI: Restore terminal title via \u0027title stacking\u0027 (#9407)\n - genappimage: Unset $ARGV0 at invocation (#9376)\n - TUI: Konsole 18.07.70 supports DECSCUSR (#9364)\n - provider: improve error message (#9344) \n - runtime/syntax: Fix highlighting of autogroup contents (#9328)\n - VimL/confirm(): Show dialog even if :silent (#9297)\n - clipboard: prefer xclip (#9302)\n - provider/nodejs: fix npm, yarn detection\n - channel: avoid buffering output when only terminal is active (#9218)\n - ruby: detect rbenv shims for other versions (#8733)\n - third party/unibilium: Fix parsing of extended capabilitiy entries (#9123)\n - jobstart(): Fix hang on non-executable cwd (#9204)\n - provide/nodejs: Simultaneously query npm and yarn (#9054)\n - undo: Fix infinite loop if undo_read_byte returns EOF (#2880) \n - \u0027swapfile: always show dialog\u0027 (#9034) \n\n- Add to the system-wide configuration file extension of runtimepath by\n /usr/share/vim/site, so that neovim uses other Vim plugins installed\n from packages.\n\n- Add /usr/share/vim/site tree of directories to be owned by neovim as\n well.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2019-1759",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_1759-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2019:1759-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JVVBP77XXWO6UY6YS7QTWDVNSXCX6BNR/#JVVBP77XXWO6UY6YS7QTWDVNSXCX6BNR"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2019:1759-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JVVBP77XXWO6UY6YS7QTWDVNSXCX6BNR/#JVVBP77XXWO6UY6YS7QTWDVNSXCX6BNR"
},
{
"category": "self",
"summary": "SUSE Bug 1137443",
"url": "https://bugzilla.suse.com/1137443"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-12735 page",
"url": "https://www.suse.com/security/cve/CVE-2019-12735/"
}
],
"title": "Security update for neovim",
"tracking": {
"current_release_date": "2019-07-21T05:34:50Z",
"generator": {
"date": "2019-07-21T05:34:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2019:1759-1",
"initial_release_date": "2019-07-21T05:34:50Z",
"revision_history": [
{
"date": "2019-07-21T05:34:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "neovim-lang-0.3.7-lp151.2.7.1.noarch",
"product": {
"name": "neovim-lang-0.3.7-lp151.2.7.1.noarch",
"product_id": "neovim-lang-0.3.7-lp151.2.7.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "neovim-0.3.7-lp151.2.7.1.x86_64",
"product": {
"name": "neovim-0.3.7-lp151.2.7.1.x86_64",
"product_id": "neovim-0.3.7-lp151.2.7.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.0",
"product": {
"name": "openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.0"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "neovim-0.3.7-lp151.2.7.1.x86_64 as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:neovim-0.3.7-lp151.2.7.1.x86_64"
},
"product_reference": "neovim-0.3.7-lp151.2.7.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "neovim-lang-0.3.7-lp151.2.7.1.noarch as component of openSUSE Leap 15.0",
"product_id": "openSUSE Leap 15.0:neovim-lang-0.3.7-lp151.2.7.1.noarch"
},
"product_reference": "neovim-lang-0.3.7-lp151.2.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "neovim-0.3.7-lp151.2.7.1.x86_64 as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:neovim-0.3.7-lp151.2.7.1.x86_64"
},
"product_reference": "neovim-0.3.7-lp151.2.7.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "neovim-lang-0.3.7-lp151.2.7.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:neovim-lang-0.3.7-lp151.2.7.1.noarch"
},
"product_reference": "neovim-lang-0.3.7-lp151.2.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-12735",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-12735"
}
],
"notes": [
{
"category": "general",
"text": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.0:neovim-0.3.7-lp151.2.7.1.x86_64",
"openSUSE Leap 15.0:neovim-lang-0.3.7-lp151.2.7.1.noarch",
"openSUSE Leap 15.1:neovim-0.3.7-lp151.2.7.1.x86_64",
"openSUSE Leap 15.1:neovim-lang-0.3.7-lp151.2.7.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-12735",
"url": "https://www.suse.com/security/cve/CVE-2019-12735"
},
{
"category": "external",
"summary": "SUSE Bug 1137443 for CVE-2019-12735",
"url": "https://bugzilla.suse.com/1137443"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.0:neovim-0.3.7-lp151.2.7.1.x86_64",
"openSUSE Leap 15.0:neovim-lang-0.3.7-lp151.2.7.1.noarch",
"openSUSE Leap 15.1:neovim-0.3.7-lp151.2.7.1.x86_64",
"openSUSE Leap 15.1:neovim-lang-0.3.7-lp151.2.7.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.0:neovim-0.3.7-lp151.2.7.1.x86_64",
"openSUSE Leap 15.0:neovim-lang-0.3.7-lp151.2.7.1.noarch",
"openSUSE Leap 15.1:neovim-0.3.7-lp151.2.7.1.x86_64",
"openSUSE Leap 15.1:neovim-lang-0.3.7-lp151.2.7.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-07-21T05:34:50Z",
"details": "important"
}
],
"title": "CVE-2019-12735"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…