Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Git for Windows ships with vulnerable Vim #2232

Closed
1 task done
beevvy opened this issue Jun 14, 2019 · 3 comments
Closed
1 task done

Git for Windows ships with vulnerable Vim #2232

beevvy opened this issue Jun 14, 2019 · 3 comments
Milestone
v2.23.0

Comments

@beevvy
Copy link

beevvy commented Jun 14, 2019

  • I was not able to find an open or closed issue matching what I'm seeing

Setup

  • Which version of Git for Windows are you using? Is it 32-bit or 64-bit?
$ git --version --build-options
git version 2.22.0.windows.1
cpu: x86_64
built from commit: d003d728ffa6c0006da875ec6318d3f6b28a4ddb
sizeof-long: 4
sizeof-size_t: 8
  • Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?
$ cmd.exe /c ver

Microsoft Windows [Version 10.0.18362.175]
  • What options did you set as part of the installation? Or did you choose the
    defaults?
# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt
Editor Option: VIM
Custom Editor Path:
Path Option: CmdTools
SSH Option: OpenSSH
CURL Option: WinSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Use Credential Manager: Enabled
Enable Symlinks: Disabled
Enable Builtin Interactive Add: Disabled

Details

Git for Windows ships with Vim 8.1.1234, which is vulnerable to arbitrary code execution via CVE-2019-12735. See https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

It should be updated to 8.1.1365 or newer.
@weekly-digest weekly-digest bot mentioned this issue Jun 16, 2019
Closed
@PhilipOakley
Copy link

PR?
(i.e. it would be a great help if you could provide a Pull Request to update the packaging manifest in build-extra, as per previous updates of included packages)

dscho added a commit to dscho/MSYS2-packages that referenced this issue Jun 17, 2019
@dscho
vim: upgrade to latest version
31ade15 
We haven't updated quite in a while, and it would appear that our
current VIM is susceptible to CVE-2019-12735 (reported via
git-for-windows/git#2232).

So let's just update to the latest version and get all kinds of
fixes/features.

Signed-off-by: Johannes Schindelin <[email protected]>
@dscho
Copy link
Member

dscho commented Jun 17, 2019

The MSYS2 maintainer indicated that they are busy with some Qt packages. If that takes too long, I'll probably bundle a Git for Windows-only version of the newest vim package.

Alexpux pushed a commit to msys2/MSYS2-packages that referenced this issue Jun 18, 2019
@dscho @Alexpux
vim: upgrade to latest version (#1677)
15c9aa2 
We haven't updated quite in a while, and it would appear that our
current VIM is susceptible to CVE-2019-12735 (reported via
git-for-windows/git#2232).

So let's just update to the latest version and get all kinds of
fixes/features.

Signed-off-by: Johannes Schindelin <[email protected]>
@dscho
Copy link
Member

dscho commented Jul 4, 2019

The next version (and the next snapshot) will have this update.

@dscho dscho closed this as completed Jul 4, 2019
@dscho dscho added this to the v2.22.0(2) milestone Jul 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.23.0
Development

No branches or pull requests
3 participants
@dscho @PhilipOakley @beevvy