Vim and Neovim have a huge vulnerability

see A hacker can use a specially-crafted .txt file. When you open it in vim or neovim, it will allow him to get remote shell access to your system.

just use vs-code then lol

votes so far: vim: 1 neovim: 1 emacs with vim extension: 1

>just opening an innocent looking specially crafted file
so I have to download the file first lol

just use nano bro
it doesn't have this problem

this.
I can't see how this would be an issue otherwise

What is that sexy font, user?

Nano isn't faster or more capable so why use it?

Megrim Medium

Why would I have modelines on when reading a random file from the internet anyway? Why would I have them on at all?

Literally the notepad.exe of *nix

Because you didn’t turn them off?

Suckless version of vi when?
Fuck extensibility, if I need more features I'll patch the code myself and recompile.

only windows fags use .txt

so you're agreeing with him

Waaaaahahahahahahah

>Requires me to open the file
Jesus, talk about over-blowing shit. Just fucking install the patch, and nobody is going to be affected.
Did you know that /bin/sh can allow remote attackers to arbitrarily execute commands on your system?

Attached: 1374574508775.jpg (499x500, 29K)

When you open a file in a text editor, you expect it to read or write and not execute something unless explicitly told so.
But I do agree, just update and nobody bats an eye.

this

>Ok guise, what modal editor will you use now?
Emacs with evil.

Sure, but my point is that this is one of the least critical kinds of security issues.
It's barely worth batting an eye about.

Hell no

>>>>>>>>>>>>>>>>>>your Linux operating system

An oversight when dealing with modelines.

That's what you get for using Software written in C.

>t. pajeet
Sorry I deal with professional customers meaning there is no way for me to use closed source telemetry infected editors that are walled gardens (compare license and telemetry statement from github code to binary and even if you compile from source you have to change code to make it foss, vscodium is not foss either).

Either use Emacs Evil or shut up.

it comes off by default in all the major distros.

This has nothing to do with C you fucking retard.
This is a parsing error since it isn't easy to sanitize the modeline. Rust, Ada, Pascal, etc. don't prevent you from making parsing errors.
Seriously, just shut the fuck up. You Rustbabbies have no idea what you're talking about.

this

>LOONIXFAGS BTFO

Attached: nanami-madobe-930x523.jpg (620x348, 44K)

Go home Dark Duck. You're drunk.

Attached: artbsod.jpg (620x465, 71K)

Fucking smoothbrains

*laughs in emacs*

Old

Good thing my text files are all .fag

>article is from yesterday
New

a
/bin/ed
.
wq

line editors can be comfy. I don’t have the levels of unparalleled autism needed to become proficient in them, but they’re not as much of a meme as you might think from the “standard text editor” pasta.
sanctum.geek.nz/arabesque/actually-using-ed/

vscode is open source tard

>just opening an innocent looking specially crafted file using Vim or Neovim could allow attackers to secretly execute commands on your Linux system and take remote control over it.

I don't open random files.
I don't download random files.

Attached: animu.png (149x148, 58K)

Fairly certain they don’t have to be literally .txt in the file name

Current votes: 11 vim, 6 emacs, 5 neovim, 3 other, 1 vi, 0 IDE

>Update vim and hopefully get patched?
You don't need to, just
set nomodeline
in .vimrc

>remote code execution by opening a plain text file
>least critical kind of security issues
Are you people just pretending to be retarded? It hardly gets worse than this.

Security concerns with modeline have been known about for a long time, which is why many distributions already disable it by default even in older versions of vim.

Try
:set modeline?
in vim, if it says "nomodeline" then modelines are disabled.

But muh key commands unironically. Do not want to learn using the CTRL and ALT keys. All you have to do in Vim is be in command mode to do stuff

And it still has Microsoft telemetry and other stuff. The truly free fork is VScodium.

>It hardly gets worse than this.
Until you install the patch 30 seconds later. Then it doesn't matter.

You don't "just install the patch" - most Linux distros probably haven't fixed it yet, I know Ubuntu hasn't (still on 8.1.320), Windows obviously gets no official new binary build for god knows how long. Then there's all the machines that aren't under active maintenance or where the users are unaware of this bug. All it requires is one of those people opening a text file.

Face it, it's a disgrace on Vim's part for still keeping that feature on by default.

>most Linux distros probably haven't fixed it yet
Most GNU/Linux distros had already fixed it within 9 minutes of the article being posted. Sop being a faggot.

yes you do actually literally just install the patch directly from git

That's untrue simply because of the fact that Canonical refuses to keep its Vim package up-to-date. They've consistently had an ancient version of it and it still hasn't updated.

You have to re-build it and bypass your distro's package manager to do that. That's not something normal people will do, especially when you can simply disable modelines altogether and prevent any future issues.

>I know Ubuntu hasn't
Debian and Ubuntu are among the distros mentioned in that disable modeline by default in the vim you get from their repos.

normal people aren't using linux or vim.
or just literally copy and paste the commits and rebuild it. bypassing the manager is not an issue if all you're doing is editing source.

That doesn't help if you run with -u NONE or use a custom vimrc.

It looks like Ubuntu only just got a fixed version released, doesn't even show up on packages.ubuntu.com yet. And they still didn't include the newest patches, just their own fix.

Anybody with an old Linux box editing a text file using Vim will get affected by this bug. I don't see what you're arguing here, it's a major security problem caused by carelessness on Vim's part on this issue.

>That's not something normal people will do
is what you said

>That doesn't help if you run with -u NONE or use a custom vimrc.
It's disabled BY DEFAULT, not via some default .vimrc, so unless you explicitly add
set modeline
to your custom .vimrc, it will be off, including when you run with -u NONE.

On ubuntu 19.04
$ vim --version|head -n 1
VIM - Vi IMproved 8.1 (2018 May 18, compiled Nov 03 2018 00:15:14)
$ vim -u NONE
:set nocompatible
:set modeline?

returns modeline

I'm opening vim as we speak
is this really dangerous? seems pretty over blown by me. Just don't open any shady .txt files you find on the interwebs.

yessss:(

The set nocompatible command is what is enabling it here.

If you can't even examine a text file freely without fear of getting infected by a rootkit, then what _can_ you safely do on your computer? How do you know what a text file even is if you can't trust your tools to view it?

Yes, it's the first thing I set when I use not-my-vim. The vi compatibility is a terrible misfeature when I specifically asked for Vim and not Vi.

openssh also has a similar vulnerability

>i want my text editor to suck dicks too fuck text editing who cares about that
Well well.

This. Sure, you could say just examine the files first with other tools, but you don't have to do that with some other editors that don't have this bug.