From owner-svn-ports-all@freebsd.org  Sat Jun 15 15:41:42 2019
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 24AC615C9F68
 for <svn-ports-all@mailman.ysv.freebsd.org>;
 Sat, 15 Jun 2019 15:41:42 +0000 (UTC)
 (envelope-from adamw@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id BF6E880F1B
 for <svn-ports-all@freebsd.org>; Sat, 15 Jun 2019 15:41:41 +0000 (UTC)
 (envelope-from adamw@freebsd.org)
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 (Authenticated sender: adamw/mail)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 6241DE865
 for <svn-ports-all@freebsd.org>; Sat, 15 Jun 2019 15:41:41 +0000 (UTC)
 (envelope-from adamw@freebsd.org)
Received: by mail-wm1-f45.google.com with SMTP id x15so5211316wmj.3
 for <svn-ports-all@freebsd.org>; Sat, 15 Jun 2019 08:41:41 -0700 (PDT)
X-Gm-Message-State: APjAAAX5xoWj7RNI5PQ+w3TphhUYW+v/U+BFa/aTAqebTmPNqTvRf1ln
 aMezaWYOdJcyRVL7eGm216hJjIGk6vmdgPINHuzfnQ==
X-Google-Smtp-Source: APXvYqxudaas4IFykw9xIlUpAO/EoL5oAptItt3kmakYbFloQzIe1VQzOYFbc8pP9SGXdxndzweIxAT2zkVSdEYmlYQ=
X-Received: by 2002:a1c:ac81:: with SMTP id
 v123mr12493810wme.145.1560613300213; 
 Sat, 15 Jun 2019 08:41:40 -0700 (PDT)
MIME-Version: 1.0
References: <201906131841.x5DIfuSb069885@repo.freebsd.org>
 <20190615151247.GA24087@FreeBSD.org>
In-Reply-To: <20190615151247.GA24087@FreeBSD.org>
From: Adam Weinberger <adamw@freebsd.org>
Date: Sat, 15 Jun 2019 09:41:24 -0600
X-Gmail-Original-Message-ID: <CAP7rwcjB9moLnEwzUcn0EhfKpF+dDvAObY0O8XJOn0V4HXByYA@mail.gmail.com>
Message-ID: <CAP7rwcjB9moLnEwzUcn0EhfKpF+dDvAObY0O8XJOn0V4HXByYA@mail.gmail.com>
Subject: Re: svn commit: r504132 - head/security/vuxml
To: Alexey Dokuchaev <danfe@freebsd.org>
Cc: Adam Weinberger <adamw@freebsd.org>, ports-committers@freebsd.org, 
 svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: BF6E880F1B
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.99 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.99)[-0.991,0]; REPLY(-4.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jun 2019 15:41:42 -0000

On Sat, Jun 15, 2019 at 9:12 AM Alexey Dokuchaev <danfe@freebsd.org> wrote:
>
> On Thu, Jun 13, 2019 at 06:41:56PM +0000, Adam Weinberger wrote:
> > New Revision: 504132
> > URL: https://svnweb.freebsd.org/changeset/ports/504132
> >
> > Log:
> >   Add entry for Vim/NeoVim arbitrary code execution
> >
> > Modified:
> >   head/security/vuxml/vuln.xml
>
> Do we package Vim/NeoVim with modelines enabled by default?
>
> I've seen people say that in some distributions, default packages were not
> affected because their maintainers deliberately disable modelines, e.g. in
> Debian from 2007:
>
>   * debian/runtime/debian.vim.in
>     - set 'nomodeline' by default since modelines have historically been a
>       source of security/resource vulnerabilities.  Users should have to
>       explicitly enable the option to assume the associated risks.
>
> Also, from Gentoo's /etc/vim/vimrc:
>
>     We don't allow modelines by default. See bug #14088 and bug #73715.
>     basis by adding "set modeline" to your ~/.vimrc file.
>
> This sounds like a good idea.  Actually, any similar feature that allows to
> execute something based on user input should be disabled by default, because
> these things are very hard to get right (unless you're Daniel Bernstein).

Their default packages ARE affected. If your car explodes in 6th gear,
you can't say your car isn't affected because it starts up in first.
Whether they're enabled or disabled by default, the package is still
vulnerable.

# Adam


-- 
Adam Weinberger
adamw@adamw.org // adamw@FreeBSD.org
https://www.adamw.org