Security update for neovim SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1997-1 Final 1 1 2019-08-24T08:20:58Z current 2019-08-24T08:20:58Z 2019-08-24T08:20:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for neovim This update for neovim fixes the following issues: neovim was updated to version 0.3.7: * CVE-2019-12735: source should check sandbox (boo#1137443) * genappimage.sh: migrate to linuxdeploy Version Update to version 0.3.5: * options: properly reset directories on 'autochdir' * Remove MSVC optimization workaround for SHM_ALL * Make SHM_ALL to a variable instead of a compound literal #define * doc: mention 'pynvim' module rename * screen: don't crash when drawing popupmenu with 'rightleft' option * look-behind match may use the wrong line number * :terminal : set topline based on window height * :recover : Fix crash on non-existent *.swp Version Update to version 0.3.4: * test: add tests for conceal cursor movement * display: unify ursorline and concealcursor redraw logic Version Update to version 0.3.3: * health/provider: Check for available pynvim when neovim mod is missing * python#CheckForModule: Use the given module string instead of hard-coding pynvim * (health.provider)/python: Import the neovim, rather than pynvim, module * TUI: Konsole DECSCUSR fixup Version Update to version 0.3.2:- * Features - clipboard: support Custom VimL functions (#9304) - win/TUI: improve terminal/console support (#9401) - startup: Use $XDG_CONFIG_DIRS/nvim/sysinit.vim if exists (#9077) - support mapping in more places (#9299) - diff/highlight: show underline for low-priority CursorLine (#9028) - signs: Add 'nuhml' argument (#9113) - clipboard: support Wayland (#9230) - TUI: add support for undercurl and underline color (#9052) - man.vim: soft (dynamic) wrap (#9023) * API - API: implement object namespaces (#6920) - API: implement nvim_win_set_buf() (#9100) - API: virtual text annotations (nvim_buf_set_virtual_text) (#8180) - API: add nvim_buf_is_loaded() (#8660) - API: nvm_buf_get_offset_for_line (#8221) - API/UI: ext_newgrid, ext_histate (#8221) * UI - TUI: use BCE again more often (smoother resize) (#8806) - screen: add missing status redraw when redraw_later(CLEAR) was used (#9315) - TUI: clip invalid regions on resize (#8779) - TUI: improvements for scrolling and clearing (#9193) - TUI: disable clearing almost everywhere (#9143) - TUI: always use safe cursor movement after resize (#9079) - ui_options: also send when starting or from OptionSet (#9211) - TUI: Avoid reset_color_cursor_color in old VTE (#9191) - Don't erase screen on :hi Normal during startup (#9021) - TUI: Hint wrapped lines to terminals (#8915) * FIXES - RPC: turn errors from async calls into notifications - TUI: Restore terminal title via 'title stacking' (#9407) - genappimage: Unset $ARGV0 at invocation (#9376) - TUI: Konsole 18.07.70 supports DECSCUSR (#9364) - provider: improve error message (#9344) - runtime/syntax: Fix highlighting of autogroup contents (#9328) - VimL/confirm(): Show dialog even if :silent (#9297) - clipboard: prefer xclip (#9302) - provider/nodejs: fix npm, yarn detection - channel: avoid buffering output when only terminal is active (#9218) - ruby: detect rbenv shims for other versions (#8733) - third party/unibilium: Fix parsing of extended capabilitiy entries (#9123) - jobstart(): Fix hang on non-executable cwd (#9204) - provide/nodejs: Simultaneously query npm and yarn (#9054) - undo: Fix infinite loop if undo_read_byte returns EOF (#2880) - 'swapfile: always show dialog' (#9034) - Add to the system-wide configuration file extension of runtimepath by /usr/share/vim/site, so that neovim uses other Vim plugins installed from packages. - Add /usr/share/vim/site tree of directories to be owned by neovim as well. This update was imported from the openSUSE:Leap:15.1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1997 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O5Q6ECCW6N3P3VMFMCNJL5AQBTRSD4AI/#O5Q6ECCW6N3P3VMFMCNJL5AQBTRSD4AI E-Mail link for openSUSE-SU-2019:1997-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1137443 SUSE Bug 1137443 https://www.suse.com/security/cve/CVE-2019-12735/ SUSE CVE CVE-2019-12735 page SUSE Package Hub 15 SP1 neovim-0.3.7-bp151.3.3.1 neovim-lang-0.3.7-bp151.3.3.1 neovim-0.3.7-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 neovim-lang-0.3.7-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim. CVE-2019-12735 SUSE Package Hub 15 SP1:neovim-0.3.7-bp151.3.3.1 SUSE Package Hub 15 SP1:neovim-lang-0.3.7-bp151.3.3.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O5Q6ECCW6N3P3VMFMCNJL5AQBTRSD4AI/#O5Q6ECCW6N3P3VMFMCNJL5AQBTRSD4AI https://www.suse.com/security/cve/CVE-2019-12735.html CVE-2019-12735 https://bugzilla.suse.com/1137443 SUSE Bug 1137443