Debian Security Advisory

DSA-4467-1 vim -- security update

Date Reported:
18 Jun 2019
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2019-12735.
More information:

User Arminius discovered a vulnerability in Vim, an enhanced version of the standard UNIX editor Vi (Vi IMproved). The Common vulnerabilities and exposures project identifies the following problem:

Editors typically provide a way to embed editor configuration commands (aka modelines) which are executed once a file is opened, while harmful commands are filtered by a sandbox mechanism. It was discovered that the source command (used to include and execute another file) was not filtered, allowing shell command execution with a carefully crafted file opened in Vim.

For the stable distribution (stretch), this problem has been fixed in version 2:8.0.0197-4+deb9u2.

We recommend that you upgrade your vim packages.

For the detailed security status of vim please refer to its security tracker page at: