Hello,

I'm trying the poc on this a vim 8.1.0648-r1 but it doesn't work.

I'm not using vim and have barely knownledge of this editor but here what I have checked so far :

By default :set modelines? show nomodeline. I created a .vimrc with the following content

set modelines=1
set modeline

and run like

vim -u .vimrc and

:set modelines? show modeline. I saved the file poc.txt found in this repo and opened it with vim -u .vimrc poc.txt but it didn't return a uname -a but instead display the content of the file.

vim --version

VIM - Vi IMproved 8.1 (2018 May 18, compiled May 10 2019 13:57:46)
Included patches: 1-648
Modified by Gentoo-8.1.0648-r1
Compiled by portage@localhost
Tiny version without GUI. Features included (+) or not (-):
+acl -extra_search -mouse_sgr -tcl
-arabic -farsi -mouse_sysmouse -termguicolors
+autocmd -file_in_path -mouse_urxvt -terminal
-autochdir -find_in_path -mouse_xterm +terminfo
-autoservername -float -multi_byte -termresponse
-balloon_eval -folding -multi_lang -textobjects
-balloon_eval_term -footer -mzscheme -textprop
-browse +fork() -netbeans_intg -timers
+builtin_terms -gettext -num64 -title
-byte_offset -hangul_input -packages -toolbar
-channel -iconv -path_extra -user_commands
-cindent -insert_expand -perl -vartabs
-clientserver -job -persistent_undo +vertsplit
-clipboard -jumplist -printer -virtualedit
-cmdline_compl -keymap -profile +visual
-cmdline_hist -lambda -python -visualextra
-cmdline_info -langmap -python3 -viminfo
-comments -libcall -quickfix +vreplace
-conceal -linebreak -reltime +wildignore
-cryptv -lispindent -rightleft -wildmenu
-cscope +listcmds -ruby +windows
+cursorbind -localmap +scrollbind +writebackup
-cursorshape -lua -signs -X11
-dialog -menu -smartindent -xfontset
-diff -mksession -startuptime -xim
-digraphs -modify_fname -statusline -xpm
-dnd -mouse -sun_workshop -xsmp
-ebcdic -mouse_dec -syntax -xterm_clipboard
-emacs_tags -mouse_gpm +tag_binary -xterm_save
-eval -mouse_jsbterm -tag_old_static
+ex_extra -mouse_netterm -tag_any_white
system vimrc file: "/etc/vim/vimrc"
user vimrc file: "$HOME/.vimrc"
2nd user vimrc file: "~/.vim/vimrc"
user exrc file: "$HOME/.exrc"
defaults file: "$VIMRUNTIME/defaults.vim"
fall-back for $VIM: "/usr/share/vim"
Compilation: x86_64-gentoo-linux-musl-gcc -c -I. -Iproto -DHAVE_CONFIG_H -O2 -pipe -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: x86_64-gentoo-linux-musl-gcc -Wl,-O1 -L/usr/local/lib -Wl,--as-needed -o vim -lm -lncurses -lelf

I suppose on of those feature must be enabled in order to make the poc working, but didn't find yet which on...

Thanks

The vim tiny build is definitely too limited. For example, it's built without eval which should also stop most plugins from working.

You should be successful building with the normal feature set (--with-features=normal).

That's confirm what I though, as I use the useflag minimal globally, this vulnerability didn't affect me.

Tried with qemu debian (creating the .vimrc...), it worked.

Thanks for the information and nice finding btw.